foo?a&b

Notice how the alert said "Hello & World" and not "Hello & World", even though the code looks like:

<script type="text/javascript">
	alert("Hello &amp; World");
</script>

This is because we are in HTML; inside XHTML a literal & is used to decode entities.