There is a double encoding or escaping of the cc_owner field when printed on the order review page. I'm not entirely sure where the 2nd one is, but changing a check_plain() to filter_xss() in uc_credit fixes it, though it may need to be done elsewhere. If you hit the back button provided, the 'card owner' data is again double encoded when displayed in the input box. There is no need for any escaping/encoding of it at all in that case - it should just be displayed as is as it is an input field. To be honest, ubercart should be following Drupal's policy of sanitization on output, not input, so doing a check_plain on $_POST variables, etc is just wrong and leads to problems like these.
FYI, the data that triggered the double encoding was a name like "John O'Brien" - the single quote is converted to