Here is what te W3C has to say on the subject: "C.12. Using Ampersands
in Attribute Values (and Elsewhere)In both SGML and XML, the ampersand
character ("&") declares the beginning of an entity reference (e.g.,
® for the registered trademark symbol "®"). Unfortunately, many
HTML user agents have silently ignored incorrect usage of the
ampersand character in HTML documents - treating ampersands that do
not look like entity references as literal ampersands. XML-based user
agents will not tolerate this incorrect usage, and any document that
uses an ampersand incorrectly will not be "valid", and consequently
will not conform to this specification. In order to ensure that
documents are compatible with historical HTML user agents and
XML-based user agents, ampersands used in a document that are to be
treated as literal characters must be expressed themselves as an
entity reference (e.g. "&"). For example, when the href attribute
of the a element refers to a CGI script that takes parameters, it must
be expressed as
http://my.site.dom/cgi-bin/myscript.pl?class=guest&name=user
rather than as
http://my.site.dom/cgi-bin/myscript.pl?class=guest&name=user."
The situation is a bit different in a JavaScript used in the xhtml
versions. An isolated less than < and logical and && are not allowed
in the script on the xhtml page because of conflicts with XML. Writing
these out as you do for &, etc. on the xhtml part of the page kills
the script. If you can not avoid isolateed < and && in a script on an
xhtml page, you are allowed to solve the problem by using an external
script.As another choice, the complete script within the script tags
can be surrounded by open and close CDATA tags. Unfortuately, most
browsers and servers do not properly understand CDATA, and the script
fails. However it is possible to surround both the opening and closing
CDATA tags with multi-line JS comment tabs of the type /* blah blah */
.. Then the older browsers and servers are happy, and the W3C xhtml
validator is happy. The XML things such as the CDATA tags are seen
through multiline JS comment tags, just as html comment tags are seen
through when placed around a JS.