I have always been very confused with URL/HTML Escaping. More recently I looked deeper into it. Then looking at the PHP Docs for urlencode

$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';

I then realized that theres & in most query strings that seems like should be escaped. But it seems to work without escaping. I wonder why, and if its actually required.

Escaping & into & is required in HTML, but it works in most browsers anyway. If it wouldn't, 90% of the Internet would break. :) It still is good style to escape ampersands, and it is required for the document to pass validation.

See this W3C document for some good background why (the text focuses on a specific behaviour of PHP, but that doesn't really matter): Ampersands, PHP Sessions and Valid HTML. Money quote (emphasis mine):

In order to display reserved characters HTML and XHTML provide a mechanism called character references. The syntax of these is:

• an ampersand
• a "code" for the referenced character
• a semicolon
• For example, the "less than" character is represented as <.

Giving the ampersand special meaning makes it, like <, a reserved character, so it also needs to be represented by an entity for it to be used in a document - &amp;