If you use an appropriate class or library, they will do the escaping for you. Many XML issues are caused by string concatenation.

XML escape characters

There are only five:

"   "
'   '
<   &lt;
>   &gt;
&   &amp;

Escaping characters depends on where the special character is used.

The examples can be validated at the W3C Markup Validation Service.

Text

The safe way is to escape all five characters in text. However, the three characters ", ' and > needn't be escaped in text:

<?xml version="1.0"?>
<valid>"'></valid>

Attributes

The safe way is to escape all five characters in attributes. However, the > character needn't be escaped in attributes:

<?xml version="1.0"?>
<valid attribute=">"/>

The ' character needn't be escaped in attributes if the quotes are ":

<?xml version="1.0"?>
<valid attribute="'"/>

Likewise, the " needn't be escaped in attributes if the quotes are ':

<?xml version="1.0"?>
<valid attribute='"'/>

Comments

All five special characters must not be escaped in comments:

<?xml version="1.0"?>
<valid>
<!-- "'<>& -->
</valid>

CDATA

All five special characters must not be escaped in CDATA sections:

<?xml version="1.0"?>
<valid>
<![CDATA["'<>&]]>
</valid>

Processing instructions

All five special characters must not be escaped in XML processing instructions:

<?xml version="1.0"?>
<?process <"'&> ?>
<valid/>

XML vs. HTML

HTML has its own set of escape codes which cover a lot more characters.

Answer from Welbog on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 1091945 › what-characters-do-i-need-to-escape-in-xml-documents
escaping - What characters do I need to escape in XML documents? - Stack Overflow
Top answer
1 of 10
1711

If you use an appropriate class or library, they will do the escaping for you. Many XML issues are caused by string concatenation.

XML escape characters

There are only five:

"   &quot;
'   &apos;
<   &lt;
>   &gt;
&   &amp;

Escaping characters depends on where the special character is used.

The examples can be validated at the W3C Markup Validation Service.

Text

The safe way is to escape all five characters in text. However, the three characters ", ' and > needn't be escaped in text:

<?xml version="1.0"?>
<valid>"'></valid>

Attributes

The safe way is to escape all five characters in attributes. However, the > character needn't be escaped in attributes:

<?xml version="1.0"?>
<valid attribute=">"/>

The ' character needn't be escaped in attributes if the quotes are ":

<?xml version="1.0"?>
<valid attribute="'"/>

Likewise, the " needn't be escaped in attributes if the quotes are ':

<?xml version="1.0"?>
<valid attribute='"'/>

Comments

All five special characters must not be escaped in comments:

<?xml version="1.0"?>
<valid>
<!-- "'<>& -->
</valid>

CDATA

All five special characters must not be escaped in CDATA sections:

<?xml version="1.0"?>
<valid>
<![CDATA["'<>&]]>
</valid>

Processing instructions

All five special characters must not be escaped in XML processing instructions:

<?xml version="1.0"?>
<?process <"'&> ?>
<valid/>

XML vs. HTML

HTML has its own set of escape codes which cover a lot more characters.

2 of 10
118

New, simplified answer to an old, commonly asked question...

Simplified XML Escaping (prioritized, 100% complete)

  1. Always (90% important to remember)

    • Escape < as &lt; unless < is starting a <tag/> or other markup.
    • Escape & as &amp; unless & is starting an &entity;.

  2. Attribute Values (9% important to remember)

    • attr=" 'Single quotes' are ok within double quotes."
    • attr=' "Double quotes" are ok within single quotes.'
    • Escape " as &quot; and ' as &apos; otherwise.

  3. Comments, CDATA, and Processing Instructions (0.9% important to remember)

    • <!-- Within comments --> nothing has to be escaped but no -- strings are allowed.
    • <![CDATA[ Within CDATA ]]> nothing has to be escaped, but no ]]> strings are allowed.
    • <?PITarget Within PIs ?> nothing has to be escaped, but no ?> strings are allowed.

  4. Esoterica (0.1% important to remember)

    • Escape control codes in XML 1.1 via Base64 or Numeric Character References.
    • Escape ]]> as ]]&gt; unless ]]> is ending a CDATA section.
      (This rule applies to character data in general – even outside a CDATA section.)
🌐
FreeFormatter
freeformatter.com › xml-escape.html
Free Online XML Escape / Unescape Tool - FreeFormatter.com
A free online tool to escape or unescape XML documents and files
🌐
Fastly
fastly.com › documentation › reference › vcl › functions › strings › xml-escape
xml_escape | Fastly Documentation
Navigate to... ... Available inall subroutines. Escapes characters from a string using XML-style escape sequences.
People also ask
How do you escape data in XML?
To escape data in XML, you must replace any special characters with their corresponding escape sequence. For example, the &lt; character should be replaced with &lt;, and the &gt; character should be replaced with &gt;. This can be done manually or through programming language functions or XML editor tools.
🌐
testmu.ai
testmu.ai › home › free tools › xml escape
XML Escape Free Online | Free online tool to convert plain XML ...
What is the difference between XML and HTML escape?
Although XML and HTML share the same set of special characters, they have slightly different escape sequences. While the single quote (') character in XML can only be escaped with ', it can be escaped with either ' or ' in HTML. In addition, a few additional escape sequences used in HTML but not in XML include those for non-breaking spaces.
🌐
testmu.ai
testmu.ai › home › free tools › xml escape
XML Escape Free Online | Free online tool to convert plain XML ...
What is the XML format?
XML (Extensible Markup Language) is a markup language used to define and structure data in a human-readable and machine-readable format. It consists of elements, attributes, and text content enclosed in tags, which describe the structure and content of the data.
🌐
testmu.ai
testmu.ai › home › free tools › xml escape
XML Escape Free Online | Free online tool to convert plain XML ...
🌐
Liquid Technologies
liquid-technologies.com › Reference › Glossary › XML_EscapingData.html
Escaping XML Data
Escaping XML Data Adding control characters ('<', '>', ''', '"', '&') into xml data can cause the parser to miss understand the resulting data. The solution is to escape the control characters so that the parser can interpret them correc
🌐
JSON Formatter
jsonformatter.org › xml-escape
Best XML Escape characters tool
Online XML Escape characters tool to escape ampersand,quote and all special characters.
🌐
GeeksforGeeks
geeksforgeeks.org › javascript › how-to-escape-characters-in-xml
How to Escape Characters in XML ? - GeeksforGeeks
July 23, 2025 - In this approach, we are using the replace() method with a regular expression to search for characters <, >, ", ', and & in the XML data and replace them with their respective XML entities (&lt;, &gt;, &quot;, &apos;, &amp;). Example: The below ...
🌐
Advanced Installer
advancedinstaller.com › user-guide › xml-escaped-chars.html
XML escaped characters
For example, if you add an existing XML file or create a new one in your project and insert a special XML character in one of its elements, let's say < character, when you will build the project, Advanced Installer will automatically escape this character, replacing it with &lt;. The result is that the XML document installed by the built package will contain the escaped character making possible the correct interpretation of the XML code.
🌐
Code Beautify
codebeautify.org › xml-escape-unescape
XML Escape and XML Unescape Online Tool
XML Unescape is easy to use tool to unescape XML and converts to plain XML to unescaped xml which helps to show xml text in XML in &ltpre&gt tag.
Find elsewhere
🌐
Oracle
docs.oracle.com › cd › A97335_02 › apps.102 › bc4j › developing_bc_projects › obcCustomXml.htm
Using Special Characters in XML
When you use wizards to customize any string in your XML file, you can use the following special symbols: <, >, &, ', ".
🌐
Testmu
testmu.ai › home › free tools › xml escape
XML Escape Free Online | Free online tool to convert plain XML content to escaped HTML.
As a result, the XML document might need to be correctly parsed. By substituting them with the corresponding escape sequence using XML Escape, the special characters in an XML document can be correctly interpreted by the XML parser.
🌐
ServiceNow Community
servicenow.com › community › developer-forum › escaping-special-characters-in-xml › m-p › 2090226
Escaping special characters in XML - ServiceNow Community
June 1, 2021 - setStringParameter() -> to set simple string values such as sys_created_by which won't have special characters · XML reserved characters in the value are converted to the equivalent escaped characters.
🌐
Avajava
avajava.com › tutorials › lessons › how-do-i-escape-a-string-for-xml.html
How do I escape a String for XML? - Web Tutorials - avajava.com
This Java example shows how to escape a String for XML using StringEscapeUtils.
🌐
CodeItBro
codeitbro.com › home › all tools › development tools › xml tools › xml escape
XML Escape Tool: Escape Special Characters in XML
2 hours ago - Escape special characters in XML strings. Convert , &, ", and ' to their entity equivalents for safe XML embedding.
🌐
Testmuai
testmuai.com › home › free tools › xml escape
XML Escape Free Online | Free online tool to convert plain XML content to escaped HTML.
Tags, attributes, and other elements in an XML document are represented by these characters. XML Escape is necessary to avoid conflicts between an XML document's content and its syntax. For instance, the XML parser will interpret the special character "" as the start of a new tag rather than as a literal character if it appears in the content of an XML document.
🌐
Stack Overflow
stackoverflow.com › questions › 1328538 › how-do-i-escape-ampersands-in-xml-so-they-are-rendered-as-entities-in-html
How do I escape ampersands in XML so they are rendered as entities in HTML? - Stack Overflow
Top answer
1 of 10
488

When your XML contains &amp;amp;, this will result in the text &amp;.

When you use that in HTML, that will be rendered as &.

2 of 10
224

As per §2.4 of the XML 1.0 spec, you should be able to use &amp;.

I tried &amp; but this isn't allowed.

Are you sure it isn't a different issue? XML explicitly defines this as the way to escape ampersands.

🌐
Site24x7
site24x7.com › tools › xml-escaper.html
XML Escape / Unescape - Site24x7 Free Tools
Upload your file or paste the string you want to escape/unescape into the input field.
🌐
Novixys Software
novixys.com › blog › what-characters-need-to-be-escaped-in-xml-documents
What Characters Need to be Escaped in XML Documents? | Novixys Software Dev Blog
January 2, 2017 - <valid><![CDATA[[This string("]]]]><![CDATA[[>") must not appear here]]></valid> This article demonstrated what the predefined XML entities are and the various circumstances in which they can be used.
🌐
tools
tools.fromdev.com › xml-escape-unescape.html
XML Escape UnEscape Online Developer Tools - FROMDEV
But in case your data contains ... Below sample list can give you a idea of what this means. That is easy. Just type the character or a full string in the text box above and hit Escape button....
🌐
W3Schools
w3schools.io › xml-escape-characters
Learn Which characters to escape for XML components - w3schools
This tutorial covers the essentials of Why Escape is required for XML and examples for Escape characters for content text, attributes, CDATA, and comments. This tutorial explains about special characters escape in XML.
🌐
Coderanch
coderanch.com › t › 553681 › languages › Escape-XML-special-characters
Escape XML special characters? (XML forum at Coderanch)
One benefit of that would be that it is clear that the data contains "&", and not "&amp;amp;" - otherwise that may not be obvious to someone who processes that XML. ... It is just as well for me too. ... Just a comment: if you're using the org.w3c.dom packages, then generally speaking you don't need to concern yourself with escaping those characters. For example is perfectly legitimate and you don't need to escape that ampersand. Escaping only applies when an XML document is serialized to an external format -- i.e.
Related queries
unescape xml
xml validator
sql injection with filter bypass via xml encoding
c# app config escape
html escape characters
xml escape quotes
escape in xml
valid xml document