What characters do I need to escape in XML documents?

stackoverflow.com › questions › 1091945 › what-characters-do-i-need-to-escape-in-xml-documents

If you use an appropriate class or library, they will do the escaping for you. Many XML issues are caused by string concatenation.

XML escape characters

There are only five:

"   &quot;
'   &apos;
<   &lt;
>   &gt;
&   &amp;

Escaping characters depends on where the special character is used.

The examples can be validated at the W3C Markup Validation Service.

Text

The safe way is to escape all five characters in text. However, the three characters ", ' and > needn't be escaped in text:

<?xml version="1.0"?>
<valid>"'></valid>

Attributes

The safe way is to escape all five characters in attributes. However, the > character needn't be escaped in attributes:

<?xml version="1.0"?>
<valid attribute=">"/>

The ' character needn't be escaped in attributes if the quotes are ":

<?xml version="1.0"?>
<valid attribute="'"/>

Likewise, the " needn't be escaped in attributes if the quotes are ':

<?xml version="1.0"?>
<valid attribute='"'/>

Comments

All five special characters must not be escaped in comments:

<?xml version="1.0"?>
<valid>
<!-- "'<>& -->
</valid>

CDATA

All five special characters must not be escaped in CDATA sections:

<?xml version="1.0"?>
<valid>
<![CDATA["'<>&]]>
</valid>

Processing instructions

All five special characters must not be escaped in XML processing instructions:

<?xml version="1.0"?>
<?process <"'&> ?>
<valid/>

XML vs. HTML

HTML has its own set of escape codes which cover a lot more characters.

Answer from Welbog on Stack Overflow

Stack Overflow

stackoverflow.com › questions › 1091945 › what-characters-do-i-need-to-escape-in-xml-documents

escaping - What characters do I need to escape in XML documents? - Stack Overflow

XML escape characters

There are only five:

"   &quot;
'   &apos;
<   &lt;
>   &gt;
&   &amp;

Escaping characters depends on where the special character is used.

The examples can be validated at the W3C Markup Validation Service.

Text

The safe way is to escape all five characters in text. However, the three characters ", ' and > needn't be escaped in text:

<?xml version="1.0"?>
<valid>"'></valid>

Attributes

The safe way is to escape all five characters in attributes. However, the > character needn't be escaped in attributes:

<?xml version="1.0"?>
<valid attribute=">"/>

The ' character needn't be escaped in attributes if the quotes are ":

<?xml version="1.0"?>
<valid attribute="'"/>

Likewise, the " needn't be escaped in attributes if the quotes are ':

<?xml version="1.0"?>
<valid attribute='"'/>

Comments

All five special characters must not be escaped in comments:

<?xml version="1.0"?>
<valid>
<!-- "'<>& -->
</valid>

CDATA

All five special characters must not be escaped in CDATA sections:

<?xml version="1.0"?>
<valid>
<![CDATA["'<>&]]>
</valid>

Processing instructions

All five special characters must not be escaped in XML processing instructions:

<?xml version="1.0"?>
<?process <"'&> ?>
<valid/>

XML vs. HTML

HTML has its own set of escape codes which cover a lot more characters.

2 of 10

118

^{New, simplified answer to an old, commonly asked question...}

Simplified XML Escaping ^{(prioritized, 100% complete)}

Always ^{(90% important to remember)}
- Escape < as < unless < is starting a <tag/> or other markup.
- Escape & as & unless & is starting an &entity;.
Attribute Values ^{(9% important to remember)}
- attr=" 'Single quotes' are ok within double quotes."
- attr=' "Double quotes" are ok within single quotes.'
- Escape " as " and ' as ' otherwise.
Comments, CDATA, and Processing Instructions ^{(0.9% important to remember)}
-  nothing has to be escaped but no -- strings are allowed.
- <![CDATA[ Within CDATA ]]> nothing has to be escaped, but no ]]> strings are allowed.
- <?PITarget Within PIs ?> nothing has to be escaped, but no ?> strings are allowed.
Esoterica ^{(0.1% important to remember)}
- Escape control codes in XML 1.1 via Base64 or Numeric Character References.
- Escape ]]> as ]]> unless ]]> is ending a CDATA section.
  ^{(This rule applies to character data in general – even outside a CDATA section.)}

FreeFormatter

freeformatter.com › xml-escape.html

Free Online XML Escape / Unescape Tool - FreeFormatter.com

Escapes or unescapes an XML file removing traces of offending characters that could be wrongfully interpreted as markup.

Liquid Technologies

liquid-technologies.com › Reference › Glossary › XML_EscapingData.html

Escaping XML Data

Escaping XML Data Adding control characters ('<', '>', ''', '"', '&') into xml data can cause the parser to miss understand the resulting data. The solution is to escape the control characters so that the parser can interpret them correc

Code Beautify

codebeautify.org › xml-escape-unescape

XML Escape and XML Unescape Online Tool

XML Escape is easy to use tool to escape plain XML to escaped xml which helps to show xml text in XML in &ltpre&gt tag.

JSON Formatter

jsonformatter.org › xml-escape

Best XML Escape characters tool

Online XML Escape characters tool to escape ampersand,quote and all special characters.

Fastly

fastly.com › documentation › reference › vcl › functions › strings › xml-escape

xml_escape | Fastly Documentation

Available inall subroutines. Escapes characters from a string using XML-style escape sequences.

Advanced Installer

advancedinstaller.com › user-guide › xml-escaped-chars.html

XML escaped characters

For example, if you add an existing XML file or create a new one in your project and insert a special XML character in one of its elements, let's say < character, when you will build the project, Advanced Installer will automatically escape this character, replacing it with <. The result is that the XML document installed by the built package will contain the escaped character making possible the correct interpretation of the XML code.

GeeksforGeeks

geeksforgeeks.org › javascript › how-to-escape-characters-in-xml

How to Escape Characters in XML ? - GeeksforGeeks

July 23, 2025 - In this approach, we are using the replace() method with a regular expression to search for characters <, >, ", ', and & in the XML data and replace them with their respective XML entities (<, >, ", ', &). Example: The below example uses the replace() method to escape characters in XML.

Find elsewhere

Google Bing Mojeek

GeeksforGeeks

geeksforgeeks.org › html › how-to-escape-ampersands-in-xml-to-rendered-as-entities

Escape Ampersands in XML to Rendered as Entities - GeeksforGeeks

January 19, 2026 - Approach 1: Using XML Entity Reference involves representing special characters or reserved symbols in XML using predefined entities like & for the ampersand, < for less-than, > for greater-than, etc. Example: The XML code represents a document with a root element called "root" that has three child elements: "title," "text," and "styledText." The title element contains the text "Geeksforgeeks!!," while the text and styledText elements display the phrase "Escape ampersands: A &amp; B" using XML escaping for the ampersand character.

W3Schools

w3schools.io › xml-escape-characters

Learn Which characters to escape for XML components - w3schools

This tutorial covers the essentials of Why Escape is required for XML and examples for Escape characters for content text, attributes, CDATA, and comments. This tutorial explains about special characters escape in XML.

Coderanch

coderanch.com › t › 553681 › languages › Escape-XML-special-characters

Escape XML special characters? (XML forum at Coderanch)

Escaping only applies when an XML document is serialized to an external format -- i.e. a text file -- not when it is in an in internal format like that. If you stick to using only XML code in the standard API, for example using a Transformer to serialize your DOM, that escaping is taken care ...

Oracle

docs.oracle.com › cd › A97335_02 › apps.102 › bc4j › developing_bc_projects › obcCustomXml.htm

Using Special Characters in XML

When you use wizards to customize any string in your XML file, you can use the following special symbols: <, >, &, ', ".

ServiceNow Community

servicenow.com › community › developer-forum › escaping-special-characters-in-xml › m-p › 2090226

Escaping special characters in XML - ServiceNow Community

June 1, 2021 - XML reserved characters in the value are converted to the equivalent escaped characters.

tools

tools.fromdev.com › xml-escape-unescape.html

XML Escape UnEscape Online Developer Tools - FROMDEV

This is a free online tool to escape and unescape XML markup. You can copy/paste your desired XML in below text field and hit Escape or UnEscape button.

Testmuai

testmuai.com › home › free tools › xml escape

XML Escape Free Online | Free online tool to convert plain XML content to escaped HTML.

The escape sequence consists of an ampersand (&) followed by a code or name representing the special character and a semicolon (;). For example, the special character "<" is replaced with the escape sequence "<", and the special character ">" ...

reddit.com › r/xml › xslt how do i handle xml escape characters?

r/xml on Reddit: XSLT How Do I Handle XML Escape Characters?

February 3, 2021 -

Hello, I hope I've come to the right place. I'm at a loss as to how to handle my problem. I have an XML feed that contains HTML tags, now the feed of course has the tags escaped and this feed works until I try to apply XSLT 3 to it. All the HTML tags (characters) are escaped and now being displayed as literal values instead of the browser rendering/parsing the HTML tags. I need to some how convert or transform the characters so they can be parsed.

I've been searching for a solution for days but I either am not understanding it or I'm just not finding the solution. Any help would be greatly appreciated.

Content example

&lt;p&gt;

&lt;a href=&quot;https://www.gsmarena.com/samsung_galaxy_s6_(usa)-7164.php&quot;&gt;>Samsung Galaxy S6&lt;/a&gt;

&lt;p&gt;

Result I'm looking for but with the HTML element tags parsed.

<p>  
<a href="https://www.gsmarena.com/samsung_galaxy_s6_(usa)-7164.php">Samsung Galaxy S6</a>
</p>

Example of Rendered Output

Top answer

1 of 2

There are a number of possible solutions here, and the first one that springs to mind is the old-fashioned method of doing a pre-process in another language that resolves the escaped pointy brackets and so forth. Another possibility is to use the unparsed-text() function and turn it into xml in memory as a variable and run your templates on the variables. This is only a better solution if your escaped characters are within specific elements or if memory isn’t an issue.

2 of 2

You don't write, which XSL-T processor you are using. Since there is not many options around, for XSL-T 3.0, I assume it might be Saxon. But even then, there are three editions of Saxon, an OpenSource, free, edition (Saxon/HE) and two paid editions (Saxon/PE and Saxon/EE), that come with additional features. One of these features is to execute XQuery within your XSL-T via the saxon:compile-query#1 saxon:query#1 functions. Having these available would allow a little XQuery 3.1 script (actually a function definition) to be applied: declare function local:unescape( $input as xs:string*) as xs:string* { $input => replace(``[<]``, ``[<]``) => replace(``[>]``, ``[>]``) => replace(``[&]``, ``[&]``) => replace(``[']``, ``[']``) => replace(``["]``, ``["]``) }; You will need XQuery 3.1 for this, since it uses string-constructors and arrow-operators, which are available only since XQuery 3.1 and not part of the underlying XPath language. This function will take any string and replace the five default entities, defined for XML, with their counterparts. Note, that I didn't test this in Saxon (nor do I have experience with these two Saxon extension functions), but as pure XQuery in BaseX only, but it should be possible (as long as you have a license for, at least, Saxon/PE). If you don't have Saxon/PE, you may try some tinkering with output-escaping. For this, read the serialization chapter in the specs for XSL-T 3.0. Also, placing your HTML into CDATA, when you also define the @type="html" attribute is not recommended. Use @type="text" for this and then do the text processing manually. You may also get around your issue, by using @type="xhtml", which allows you to place unescaped XHTML within the element, as long as you wrap it into an ` element. There is more to this in the Atom specification here: https://tools.ietf.org/html/rfc4287#section-4.1.3 (especially in https://tools.ietf.org/html/rfc4287#section-4.1.3.3 in the last point)

EaseCloud

easecloud.io › home › tools › xml tools › xml escape

XML Escape - Escape Special Characters in XML | EaseCloud

3 weeks ago - This tool escapes ampersands (&) to &, less-than (<) to <, greater-than (>) to >, quotes (") to ", and apostrophes (') to '. Simply paste your text and get instant XML-safe output ready for embedding in XML documents, SOAP envelopes, configuration files, and data interchange ...

BetterBugs

betterbugs.io › development-tools › xml-escape

XML Escape - Escape/Unescape XML Entities

XML escaping replaces reserved characters like &, <, >, " and ' with their corresponding entities to avoid breaking XML markup. This tool works locally in your browser and supports Escape and Unescape modes.

Cloudzenia

cloudzenia.com › tools › xml-escape

XML Escape Tool - Escape Special Characters in XML Online Free

To guarantee correct parsing and processing, XML escape refers to the technique of substituting certain special characters in an XML document with suitable escape sequences. In XML syntax, characters having specific meanings, such as &, and quotes both single and double, can cause problems ...

XML escape characters

Text

Attributes

Comments

CDATA

Processing instructions

XML vs. HTML

XML escape characters

Text

Attributes

Comments

CDATA

Processing instructions

XML vs. HTML

Simplified XML Escaping (prioritized, 100% complete)

Simplified XML Escaping ^{(prioritized, 100% complete)}