HTTP URLs pass parameters in GET requests by appending name=value pairs to the URL, separated by the ampersand character. XHTML Strict does not permit the ampersand character, but rather requires an 'escaped' entity reference & followed by a-m-p-semicolon: & Safari version 2.0.2 (416.12) passes this in the URL as the Unicode entity & -- & followed by hash-three-eight-semicolon. The Tomcat servlet container blows this off; the Java JDK 1.5.0_05 does not interpret such a string as a valid URL query parameter. Safari with WebKit via today's (10-Nov-2005) CVS does NOT have this problem. Mozilla, FireFox, and Camino likewise do not pass this entity in the URL, but rather pass the "bare" ampersand character, which is the correct behavior. rdar://4338299 Looks like it is fixed with the WebKit in CVS.