The problem is the & character, which has two separate special meanings:
- In HTTP (and hence CGI) it is a separator in your QUERY_STRING
- In HTML it is an escape character

So when it appears in an HTML context, it should be encoded.  If you need
a link to myprog.cgi with QUERY_STRING "a=1&b=2" you should write
<a href="myprog.cgi?a=1&amp;b=2">my program</a>
which the browser's HTML parser will convert to what you wanted.

There are possible browser problems here, although they appear to be
limited to older browsers.  Some other approaches are:
- Use a different separator character in CGI programs when called in this
  manner.  Or even a completely different encoding.  This is safe, but may
  be much more work unless your CGI library supports setting a different
  separator character.
- Avoid any parameters whose names include that of any HTML entity.
  This runs a possible risk if the set of entities changes in future,
  or when browsers introduce proprietary 'extensions'.