I see this was supposed to be fixed from the Changelog for 0.69, but there are still some problems with ampersands in urls.
Lets say someone says:
If this gets selected as Bob's random quote, this line goes through Pisg::HTMLGenerator::_format_line, which does some stuff, and then calls htmlentities, and then _replace_links.
htmlentities replaces the url with http://example.com/foo?bar=baz&bat=quux
Then _replace_links doesn't recognize the semicolon as part of a url, so it uses http://example.com/foo?bar=baz& as the url.
This gets output into the html in a couple places, e.g. href="http://...&", which then fails validation.
I'm not 100% sure, but I think this change to the regex in _replace_links should do the trick: