According to a reference here, the ampersand must be converted into an entity in element content. Change that to &; and it'll be more valid. (Think of it this way -- if bare ampersands were allowed, how would you be able to find entities?)
I suspect that may have a dramatic effect on how CGI.pm works.
They can't send the data that way (the program they are using is hard coded). It's not suppost to be form data, but they aren't sending it as a multitype, so it comes across as form data.