It is always correct, in any HTML version, to represent the ampersand character “&” using the reference &
within an attribute value.
Whether it is also correct to use it as such depends on context and on HTML version. In any flavor of XHTML, it is never correct. In other flavors, it depends, basically on the kind of the next character, but – if it is a name character – also on HTML version and the nature of the attribute (URL values attributes are treated differently).
The short story is that you should escape it when in doubt, and normally avoid any complicated JavaScript code in attributes. Using a function call inside an attribute value is OK, but anything more complicated easily leads into confusion. In fact, many people favor putting all JavaScript code into external JavaScript files, for good reasons; as a side effect, thet avoid problems like this – caused by embedding JavaScript into HTML.