If you don't HTML-escape URLs and other variables before merging them in your HTML (especially if they ultimately come from user input) you risk to make your website vulnerable to cross-site scripting (XSS).
P.S.: why in the hell does this blog require JavaScript to be enabled, for extra 3rd party sources too, in order to protect your comment form against CSRF? :(
Comment
You should not URL-encode URLs before inserting them into a href attribute: actually, if you URL-encode them they'll likely break.
But you must HTML-escape them, which is what & turned into & is about. Django templates may be configured to do it automatically anyway, see https://docs.djangoproject.com/en/dev/ref/templates/builtins/
If you don't HTML-escape URLs and other variables before merging them in your HTML (especially if they ultimately come from user input) you risk to make your website vulnerable to cross-site scripting (XSS).
P.S.: why in the hell does this blog require JavaScript to be enabled, for extra 3rd party sources too, in order to protect your comment form against CSRF? :(