Ooops! That will teach me to test the code before answering. Is there any reason why you use the keep_encoding option? Without it it works fine, with it, indeed the & is not escaped in the output. You should only use this option if you are dealing with non-utf8 encodings, and want all the processing to be done in the original encoding, which doesn't seem to be your case.