By the HTML specification, an ampersand should be encoded as
&
But of course a lot on the web doesn't do that. Here's an example of an ad widget from Amazon.com:
<iframe
src="http://rcm.amazon.com/e/cm?t=xyzxyz-20&o=1&p=11&l=ur1&category=textbooks&banner=17P1AE8RQ1T7ZFC62V82&f=ifr"
width="120"
height="600"
scrolling="no"
border="0"
marginwidth="0"
style="border:none;"
frameborder="0">
</iframe>
Note that the ampersand is not encoded.
For those work a lot with commercial sites, work in a company, or work with many widget codes, do most of these sites actually encode the ampersand?
(In other words, what percentage of top 1k sites try to encode ampersand properly when it is in the URL?)
Stress: this is not about whether it should or should not be encoded. I just want to ask those who work in companies: if you have seen a lot CGI based URL that has an ampersand in it, and this URL is inside an HTML page, in your experience, are they encoded?