Escaping & - when to use &?
Ok so you realize you need to escape ampersands in URLs in (X)HTML and this includes attributes like href even though it looks like they’re safely wrapped up inside quotes. This is because the attr value is a CDATA value allowed to contain entities.
So you’ve seen that even some big sites like Google do not bother to do this, so do you actually need to? Yes. This page shows the effect of what happens when you have a query string parameter that matches the name of a recognized entity, like “copy”. yuk!
Re XHTML, the spec says:
When an attribute value contains an ampersand, it must be expressed as a character entity reference (e.g. ”&”). For example, when the href attribute of the a element refers to a CGI script that takes parameters, it must be expressed as http://my.site.dom/cgi-bin/myscript.pl?class=guest& amp;name=user rather than as http://my.site.dom/cgi-bin/myscript.pl?class=guest&name=user.
In this context there are some moans about the W3C validator
But watch out!
Browsers understand correctly HTML encoded URLs but that is only valid within HTML. If you enter a URL into the address bar you must not use encoding. This might sound trivial but what If you send someone a plain text email with a link like
http://mysite.com/confirmuser?name=bob&key=2873783
Most likely you will NOT get the “key” parameter delivered to your application.