What characters need to be escaped in XML?

XML has five special characters that must be escaped: ampersand (&) becomes &, less-than ( ) becomes >, double quote (") becomes ", and single quote/apostrophe (') becomes '.

When should I escape XML characters?

You should escape special characters whenever you embed user-supplied or dynamic text inside XML elements or attributes. This prevents the XML parser from misinterpreting your data as markup, which could break the document structure or cause parsing errors.

What is the difference between XML escaping and HTML entity encoding?

XML escaping uses the five predefined XML entities (&, <, >, ", '), while HTML supports a much larger set of named entities (like ©, , —). Also, ' is standard in XML but was not supported in HTML 4 (it is supported in HTML5).

Can I use CDATA sections instead of escaping?

Yes, CDATA sections ( ) allow you to include text that would otherwise need escaping. However, CDATA sections cannot be used inside attribute values and cannot contain the string ']]>' itself. Escaping individual characters is more universally applicable.

XML Escape & Unescape - Free Online Tool

What is XML Escaping?

XML escaping is the process of replacing special characters with their corresponding XML entity references so that an XML parser can process your document correctly. XML reserves five characters for its own syntax: the ampersand (&), less-than (<), greater-than (>), double quote ("), and single quote/apostrophe ('). When any of these characters appear in text content or attribute values, they must be escaped to prevent the parser from treating them as markup.

How XML Escaping Works

XML defines five predefined entity references to represent its reserved characters. The ampersand becomes &, less-than becomes <, greater-than becomes >, double quote becomes ", and apostrophe becomes '. You can also use numeric character references in decimal (<) or hexadecimal (<) form. The unescaping (or resolving) process reverses this, converting entity references back into their original characters. Proper escaping is what makes the difference between a well-formed XML document and one that breaks during parsing.

Common Use Cases

Embedding user-generated content in XML documents safely
Building SOAP web service request and response bodies
Generating XML configuration files like Maven POM or Spring config
Creating RSS and Atom feed entries with special characters
Preparing SVG content that contains text with reserved characters
Serializing data for XML-based APIs and data interchange formats

CDATA Sections vs Entity Escaping

XML offers two approaches for including special characters in your content. Entity escaping replaces each reserved character individually and works everywhere, including inside attribute values. CDATA sections (<![CDATA[ ... ]]>) wrap a block of text and tell the parser to treat everything inside as literal characters, with no escaping needed. CDATA sections are convenient when you have large blocks of text containing many special characters, such as embedded code snippets or mathematical expressions.

However, CDATA sections have limitations. They cannot appear inside attribute values, and the content itself cannot contain the closing sequence ]]>. If your text might contain that sequence, entity escaping is the safer choice. In practice, most applications use entity escaping for short strings and attribute values, while reserving CDATA sections for longer blocks of embedded content like inline scripts or code samples.

For encoding HTML-specific entities, use our HTML Entity Encoder. You can format and validate your XML documents with the XML Formatter, or encode binary data for embedding in XML using the Base64 Encoder.

XML Escape & Unescape

How to Use XML Escape & Unescape

What is XML Escaping?

How XML Escaping Works

Common Use Cases

CDATA Sections vs Entity Escaping

Frequently Asked Questions

Related Tools