foo?a&b

Notice how the alert said "Hello & World" and not "Hello & World", even though the code looks like:

<script type="text/javascript">
	alert("Hello &amp; World");
</script>

This is because we are in XHTML; inside HTML a literal & is not used to decode entities.