Comment 1 for bug 640152

This is caused by running special chars encoding over the string which is already encoded. Original URI is used as action in loginform if user is not logged in at the time of clicking on the link in email. When $action is formed, ampersands are hard-coded as "&" (auth_get_login_form(), auth/lib.php), then at the form generation action string is passed through Peiform::hsc (get_form_tag()), so as result we have:

loginbox.innerHTML = '<form class="pieform" name="login" method="post" action="?id=2&amp;amp;replyto=1204&amp;amp;returnto=inbox" ...