>>>>> "e" == ed <ed at easent.net> writes: e> parameter. Apache / IIS would be significantly confused for sure. &'s are e> not valid in HTML file names as they specify a part of a parameter list on e> the url. If the code isn't URI escaping things when needed, then it is a security breach waiting to happen.