You do realise that & is a special character in HTML?
It should be encoded as & in any html.
The JSTL <c:out> tag will do that for you automagically.
& is also a special character in urls (used to seperate parameters). however if you are submitting a form, then that should be escaped automatically for you as well.
If you are building up the url string yourself, make sure you URLEncode any parameter values, which will escape the & characters.
Also note that to write & on this forum you write it as &amp;