I was looking at this issue backwards. Special HTML entities are converted when saved in Custom Code text boxes to safely store them in your Database and when file writing occurs they are converted back to characters. So actually what is needed is: ENT_QUOTES. This code change has been completed in BPS Pro 8.1.
Database Value:
"bps_customcode_three";s:241:"Header set X-Content-Security-Policy "default-src 'self'; img-src 'self' analytics.mydomain.com; \
script-src 'self' analytics.mydomain.com ajax.googleapis.com; font-src 'self' data:" env=ie";
Code change for file writing:
$CustomCodeThree = '';
if ( $BPSCustomCodeOptions['bps_customcode_three'] != '') {
$CustomCodeThree = "# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE\n".htmlspecialchars_decode($BPSCustomCodeOptions['bps_customcode_three'], ENT_QUOTES)."\n\n";
} else {
...
...