This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
In the src attributes for script, img, etc a valid url can have an & in it without being escaped. The message for a script tag with a query string in the url and multiple parameters with & as the delimiter: "& did not start a character reference. (& probably should have been escaped as &.)"
I wrote an experimental patch for this and push it to http://qa-dev.w3.org:8888/ So for now you can test it there and please let me know if find any problems. I'll try to get the patch landed in the sources soon and pushed out to the production validator.
As of 2014-4-6 this bug still exists in the production validator.
patch under review at https://bugzilla.mozilla.org/show_bug.cgi?id=1153920