The group option is current defined to take a name and a list of packages or modules. There is no indication that the name may be arbitrary HTML, although that is how it is treated in the code, by wrapping the name in a RawHtml node. The name should be wrapped in a StringContent node instead.

This turns up in one of the regression tests, where the "name" is "Module B & C". The & is passed through directly, without being escaped. That is wrong. There does not seem to be a use-case for allowing HTML or even entities in the group name.