diff --git a/plugins/promptfoo/src/parsers/burp-entities.test.ts b/plugins/promptfoo/src/parsers/burp-entities.test.ts
new file mode 100644
index 0000000..cb11249
--- /dev/null
+++ b/plugins/promptfoo/src/parsers/burp-entities.test.ts
@@ -0,0 +1,23 @@
+import { describe, expect, it } from 'vitest';
+
+import { parseBurpSingle } from './burp.js';
+
+describe('parseBurpSingle XML entity decoding', () => {
+  it('decodes ampersands after other entities', () => {
+    const parsed = parseBurpSingle(`
+      <items>
+        <item>
+          <url>https://example.com/search?note=&amp;quot;</url>
+          <host>example.com</host>
+          <port>443</port>
+          <protocol>https</protocol>
+          <method>GET</method>
+          <path>/search?note=&amp;quot;</path>
+          <request></request>
+        </item>
+      </items>
+    `);
+
+    expect(parsed.raw).toContain('note=&quot;');
+  });
+});
diff --git a/plugins/promptfoo/src/parsers/burp.ts b/plugins/promptfoo/src/parsers/burp.ts
index b3c9a27..96eaba2 100644
--- a/plugins/promptfoo/src/parsers/burp.ts
+++ b/plugins/promptfoo/src/parsers/burp.ts
@@ -122,9 +122,9 @@ function decodeXmlEntities(str: string): string {
   return str
     .replace(/&lt;/g, '<')
     .replace(/&gt;/g, '>')
-    .replace(/&amp;/g, '&')
     .replace(/&quot;/g, '"')
-    .replace(/&apos;/g, "'");
+    .replace(/&apos;/g, "'")
+    .replace(/&amp;/g, '&');
 }
 
 /**