7. Un-escaped Entities in XHTML
you must escape the ampersand to be compliant:
This is also true of any ampersands that appear in scripts within your document. If the script is external to the document, there is no need to escape the entity; but if it's embedded in the document, make sure to escape it.
Unfortunately, this is one of the problems most often encountered by dynamic content via CMSs and ad servers. Also, some server-side scripts introduce these ampersands. Make sure that you get your developers to ensure that any dynamic markup being delivered to the browser properly escapes the entity. Note that escaping entities do not affect your link or script integrity.