Ok, so after tearing and wrecking my brain, I found a simpler solution than I'd have thought would have worked:
I removed the escape()
function entirely as well as any serialization I used before and simply replaced the &
s with html encoded ampersands like this;
filterString = filterString.replace("&", "\\u0026");
works nicely, I wish ASP and Microsoft would stop being so anal, they should deal with security risks rather than avoid it