Well, in general it looks like rfc 2396 covers the issue. From section 2.4.2. "When to Escape and Unescape":
A URI is always in an "escaped" form, since escaping or unescaping a
completed URI might change its semantics. Normally, the only time
escape encodings can safely be made is when the URI is being created
from its component parts; each component may have its own set of
characters that are reserved, so only the mechanism responsible for
generating or interpreting that component can determine whether or
not escaping a character will change its semantics. Likewise, a URI
must be separated into its components before the escaped characters
within those components can be safely decoded.
"HTML Quoting" and "url escaping" are two different things. You can't quote components of a url, and definitely not the entire url. The & is a reserved separator, and I think the new one is the ';' semi-colon. Probably the old one, when used in an HTML page needs to be quoted?
