How to use the XML Escape
Escape text for XML in three steps:
1
Choose the escaping context
Select Text Content mode if the text will appear between XML/HTML tags. Select Attribute Value mode if the text will be used inside an XML attribute (additionally escapes quotes).
2
Paste your text
Enter the raw text to escape. The escaped output appears instantly with a count of how many entities were added.
3
Copy the escaped output
Copy the output and paste it into your XML document at the appropriate location.
When to use this tool
Use this tool when you need to embed text safely in XML or HTML markup:
- →Escaping user-generated content before embedding it between XML or HTML tags to prevent XML injection
- →Preparing text with special characters for use in XML configuration files, XSLT templates, or SOAP messages
- →Escaping code snippets that contain < and > characters for display in HTML pages
- →Encoding attribute values that contain quotes or ampersands for use in XML attributes or HTML attributes
- →Fixing XML parsing errors caused by unescaped & characters in text content or attribute values
- →Building XML documents programmatically in server-side code where values may contain XML-breaking characters
Frequently asked questions
Q:Why must & (ampersand) always be escaped first?
The ampersand character begins all XML entity references — including the escaped forms of other characters like < (for <) and > (for >). If you escaped < first (to <), then escaped & afterwards, you would incorrectly double-escape < into &lt; — which displays as the literal text '<' rather than '<'. Always escaping & to & first prevents this. This tool handles the correct ordering automatically. It is the single most common bug in hand-written XML escaping code.
Q:When should I use Attribute mode instead of Text Content mode?
Use Attribute mode when the escaped text will appear inside an XML or HTML attribute value. Attribute values are delimited by either single or double quotes, so both quote characters must be escaped to prevent them from prematurely terminating the attribute. For example, if you write class="user's choice", the apostrophe must be escaped: class="user's choice". In Text Content mode (between tags), quote characters do not need escaping since they have no special meaning outside of attribute context. Use Text Content mode for everything between <tags> and Attribute mode for everything inside attribute="values".
Q:Does XML escaping also work for HTML?
Yes — the five XML entities (&, <, >, ", ') are all valid in HTML5. HTML5 supports the complete HTML5 named entity set (2,000+ entities) but the five XML entities are the most important for security and correctness. For HTML specifically, ' (the XML apostrophe entity) has broader support in HTML5 than in older HTML4 which didn't define it — but all modern browsers handle it correctly. For HTML output, you can use this tool's output directly. For HTML, &gt; is technically optional but recommended for consistency and future-proofing.
Q:Does XML escaping prevent XSS attacks?
XML/HTML escaping is the primary defense against reflected XSS attacks in HTML contexts. By converting < to <, any injected <script> tag becomes visible as literal text rather than executing as code. However, context matters critically: escaping HTML prevents injection in HTML text nodes and attribute values, but other injection contexts (JavaScript strings, CSS values, URL parameters) require different escaping strategies. This tool handles the HTML/XML context. For a complete XSS prevention strategy, combine HTML escaping with Content Security Policy (CSP) headers, URL encoding for URL parameters, and JavaScript escaping for JS strings.
Q:What is the difference between &apos; and &#39; for apostrophes?
' is the named XML entity for apostrophe, defined in the XML spec (as XML was designed to be self-contained). ' is the decimal numeric character reference for the apostrophe (Unicode code point 39). In HTML4, ' was not officially supported (though browsers handled it), while ' worked universally. In HTML5, both are valid. " for double quotes is defined in both XML and HTML. When targeting XML or XHTML, use ' for apostrophes. When targeting HTML4-compatible systems, ' is safer. This tool uses ' (XML standard) in Attribute mode.
Q:Do I need to escape > (greater-than) in XML text content?
Technically, only < and & must always be escaped in XML text content — > is only required to be escaped when it appears in the sequence ]]> (which closes a CDATA section). However, best practice and virtually all XML encoders escape > as > in text content for readability, consistency, and defensive programming. The XML specification permits unescaped > in text content but most developers and tools escape it anyway. This tool always escapes > in both modes to follow established best practices and prevent any ambiguity.