Web Application – Does HTML Purifier (which & converts to &) prevent HTTP parameter contamination?

If a REST endpoint (http://example.com) the p Querying parameters and passing them to another endpoint:

http_get ("http://example.com/api2?p=". $ _ GET['p']); 

I will be able to exploit it by attaching content later p: http://example.com?p=a%26admin=true, making a request to http://example.com/api2?p=a&admin=true (% 26 is decoded & from the server), which leads to an exploit if the / api2 Endpoint reads the Administrator Parameter.

But if I use HTML Purifier $ _GET['p']will convert it & in &Amp;which will break the attack if api2 is not reading amp; Admin (unlikely in practice).

Does that mean the escape of & in &Amp; will effectively prevent the exploit? Why are we warned on this page? & amp; HPP_TEST then?