What characters do I need to escape in XML documents?

xml escaping character

What characters must be escaped in XML documents, or where could I find such a list?

Example: <company>AT&T</company>

See Simplified XML Escaping below for a concise and easily remembered guide that I've distilled from primary sources (W3C Extensible Markup Language (XML) 1.0 (Fifth Edition)).

Literally none of the answers here are correct. You also must escape many various control characters in XML 1.1.

@JasonC: Understanding the question as intended rather than literally is ideal. If you feel future readers would benefit from an elaboration of how to specify control characters in XML, please elaborate in an answer. Thanks.

@kjhughes With the question being interpreted as intended, literally none of the answers here are correct. You also must escape many various control characters in XML 1.1, as outlined here. See also XML 1.1 §4.1, §4.4, §4.6, and Appx. C for specific details and restrictions.

Peter Mortensen

If you use an appropriate class or library, they will do the escaping for you. Many XML issues are caused by string concatenation.

XML escape characters

There are only five:

"   &quot;
'   &apos;
<   &lt;
>   &gt;
&   &amp;

Escaping characters depends on where the special character is used.

The examples can be validated at the W3C Markup Validation Service.

Text

The safe way is to escape all five characters in text. However, the three characters ", ' and > needn't be escaped in text:

<?xml version="1.0"?>
<valid>"'></valid>

Attributes

The safe way is to escape all five characters in attributes. However, the > character needn't be escaped in attributes:

<?xml version="1.0"?>
<valid attribute=">"/>

The ' character needn't be escaped in attributes if the quotes are ":

<?xml version="1.0"?>
<valid attribute="'"/>

Likewise, the " needn't be escaped in attributes if the quotes are ':

<?xml version="1.0"?>
<valid attribute='"'/>

Comments

All five special characters must not be escaped in comments:

<?xml version="1.0"?>
<valid>
<!-- "'<>& -->
</valid>

CDATA

All five special characters must not be escaped in CDATA sections:

<?xml version="1.0"?>
<valid>
<![CDATA["'<>&]]>
</valid>

Processing instructions

All five special characters must not be escaped in XML processing instructions:

<?xml version="1.0"?>
<?process <"'&> ?>
<valid/>

XML vs. HTML

HTML has its own set of escape codes which cover a lot more characters.

@Pacerier, I beg you not to write your own XML/HTML escaping code. Use a library function or you're bound to miss a special case.

Also for line breaks you need to use and for tab, if you need these characters in an attribute.

If you're going to do a Find/Replace on these, just remember to do the & replacement before the others.

@Doug I was just about to mention the exact same thing - or else all other replaced characters will be corrupted, and things like " will be changed to &quot;

From Wikipedia: "All permitted Unicode characters may be represented with a numeric character reference." So there are a lot more than 5.

Ry-

Perhaps this will help:

List of XML and HTML character entity references:

In SGML, HTML and XML documents, the logical constructs known as character data and attribute values consist of sequences of characters, in which each character can manifest directly (representing itself), or can be represented by a series of characters called a character reference, of which there are two types: a numeric character reference and a character entity reference. This article lists the character entity references that are valid in HTML and XML documents.

That article lists the following five predefined XML entities:

quot  "
amp   &
apos  '
lt    <
gt    >

Albz

According to the specifications of the World Wide Web Consortium (w3C), there are 5 characters that must not appear in their literal form in an XML document, except when used as markup delimiters or within a comment, a processing instruction, or a CDATA section. In all the other cases, these characters must be replaced either using the corresponding entity or the numeric reference according to the following table:

Original CharacterXML entity replacementXML numeric replacement < < < > > > " " " & & & ' ' '

Notice that the aforementioned entities can be used also in HTML, with the exception of ', that was introduced with XHTML 1.0 and is not declared in HTML 4. For this reason, and to ensure retro-compatibility, the XHTML specification recommends the use of ' instead.

XML predefines those five entities, but it absolutely does NOT specify that you can't use any of those five characters in their literal form. < and & have to be escaped everywhere (except CDATA). " and ' only have to be escaped in attribute values, and only if the corresponding quote character is the same. And > never actually has to be escaped.

As written above, < > " & ' do not have to be escaped when used as markup delimiters or within a comment, a processing instruction, or a CDATA section. i.e. when you use < > as an XML tag you don't escape it. Same thing for a comment (would you escape an & in a commented line of a XML file? You don't need to, and your XML is still valid if you don't). This is clearly specified in the official recommendations for XML by W3C.

@ShaunMcCance > must be escaped if it follows ]] within content, unless it's intended to be part of the ]]> delimiter that indicates the end of a CDATA section.

Not to be a necromancer, but @Albz is incorrect in saying that these characters MUST be entitized in content. See section 2.4 at w3.org/TR/REC-xml/#NT-CharData. The TL;DR version of that is that in chardata element content, & and < have to always be entitized. The > character MAY be entitized, although it MUST be when appearing in the literal string “]]>” because otherwise that will be read as ending a CDATA section. For single-quote and double-quote, you can escape if you want to. That's it, for chardata inside elements. Other components of XML have other rules.

kjhughes

New, simplified answer to an old, commonly asked question...

Simplified XML Escaping (prioritized, 100% complete)

Always (90% important to remember) Escape < as < unless < is starting a or other markup. Escape & as & unless & is starting an &entity;. Attribute Values (9% important to remember) attr=" 'Single quotes' are ok within double quotes." attr=' "Double quotes" are ok within single quotes.' Escape " as " and ' as ' otherwise. Comments, CDATA, and Processing Instructions (0.9% important to remember) nothing has to be escaped but no -- strings are allowed. nothing has to be escaped, but no ]]> strings are allowed. nothing has to be escaped, but no ?> strings are allowed. Esoterica (0.1% important to remember) Escape control codes in XML 1.1 via Base64 or Numeric Character References. Escape ]]> as ]]> unless ]]> is ending a CDATA section. (This rule applies to character data in general – even outside a CDATA section.)

One other rule worth noting: ]]> must be escaped as ]]>, even when not in a CDATA section. The easiest way of achieving that may be to always escape > as >.

Thanks, @MichaelKay. I've incorporated your helpful note about ]]> but chose to relegate it to esoterica rather than suggesting that > always be escaped (which it needn't be, as you know). My goal here to make the XML escaping rules easily remembered and 100% accurate.

The above answers including accepted one mention all five characters should be escaped inside attributes. Do you have any reference to XML standard to back what you are saying as your answer logically seems to be the correct one?

@RomanSusi: Yes, many other answers contain errors or overgeneralizations ("The safe way...") based on hearsay, misinterpretation, or misunderstanding of the official XML BNF. My answer is (a) 100% justified by W3C XML Recommendation; see the many linked references to the official BNF, and (b) organized in a concise, logical, and easily remembered progression of those requirements.

I think I should change my future first child name from Felipe to ";'Felipe]]>  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> Escaping characters is different for tags and attributes. </p> <p class="mb-0 text-dark "> For tags: </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code> < &lt; > &gt; (only for compatibility, read below) & &amp; </code></pre> <p class="mb-0 text-dark "> For attributes: </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>" &quot; ' &apos; </code></pre> <p class="mb-0 text-dark "> From <em><a href="http://www.w3.org/TR/2008/REC-xml-20081126/#syntax" rel="noreferrer">Character Data and Markup</a></em>: </p> <p class="mb-0 text-dark "> The ampersand character (&) and the left angle bracket (<) must not appear in their literal form, except when used as markup delimiters, or within a comment, a processing instruction, or a CDATA section. If they are needed elsewhere, they must be escaped using either numeric character references or the strings " & " and " < " respectively. The right angle bracket (>) may be represented using the string " > ", and must, for compatibility, be escaped using either " > " or a character reference when it appears in the string " ]]> " in content, when that string is not marking the end of a CDATA section. To allow attribute values to contain both single and double quotes, the apostrophe or single-quote character (') may be represented as " ' ", and the double-quote character (") as " " ". </p> <hr class="my-4"> <div> <div class="comment"> <div class="p-3 mb-2 bg-light border rounded"> This implies that for attributes only quotes need to be escaped, but that is in addition to the other three characters </div> </div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">P</span> </span></div> <div class=" ms-3 w-100"> <small>Peter Mortensen</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> In addition to the commonly known five characters [<, >, &, ", and '], I would also escape the vertical tab character (0x0B). It is valid UTF-8, but not valid XML 1.0, and even many libraries (including the highly portable (ANSI C) library <a href="https://en.wikipedia.org/wiki/Libxml2" rel="nofollow noreferrer">libxml2</a>) miss it and silently output invalid XML. </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">P</span> </span></div> <div class=" ms-3 w-100"> <small>Peter Mortensen</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> Abridged from: <em><a href="http://en.wikipedia.org/wiki/XML#Escaping" rel="noreferrer">XML, Escaping</a></em> </p> <p class="mb-0 text-dark "> There are five predefined entities: </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>&lt; represents "<" &gt; represents ">" &amp; represents "&" &apos; represents ' &quot; represents " </code></pre> <p class="mb-0 text-dark "> "All permitted Unicode characters may be represented with a numeric character reference." For example: </p> <pre class="mb-0 bg-dark text-white p-2 text-break" style="white-space: pre-wrap; "><code>&#20013; </code></pre> <p class="mb-0 text-dark "> Most of the control characters and other Unicode ranges are specifically excluded, meaning (I think) they can't occur either escaped or direct: </p> <p class="mb-0 text-dark "> <em><a href="http://en.wikipedia.org/wiki/Valid_characters_in_XML" rel="noreferrer">Valid characters in XML</a></em> </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">G</span> </span></div> <div class=" ms-3 w-100"> <small>Gabriel Furstenheim</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> The accepted answer is not correct. Best is to use a library for escaping xml. </p> <p class="mb-0 text-dark "> As mentioned in this <a href="https://stackoverflow.com/questions/730133/what-are-invalid-characters-in-xml">other question</a> </p> <p class="mb-0 text-dark "> "Basically, the control characters and characters out of the Unicode ranges are not allowed. This means also that calling for example the character entity is forbidden." </p> <p class="mb-0 text-dark "> If you only escape the five characters. You can have problems like <a href="https://stackoverflow.com/questions/5742543/an-invalid-xml-character-unicode-0xc-was-found">An invalid XML character (Unicode: 0xc) was found</a> </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">P</span> </span></div> <div class=" ms-3 w-100"> <small>Peter Mortensen</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> It depends on the context. For the content, it is < and &, and ]]> (though a string of three instead of one character). </p> <p class="mb-0 text-dark "> For attribute values, it is <, &, ", and '. </p> <p class="mb-0 text-dark "> For CDATA, it is ]]>. </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> <div class="d-flex mb-4"> <div><span class="avatar avatar-md avatar-success"> <span class="avatar-initials rounded-circle">P</span> </span></div> <div class=" ms-3 w-100"> <small>Peter Mortensen</small> <div class="d-flex w-100">  <div class="card mt-2 rounded bg-light w-100"> <div class="card-body p-3"> <p class="mb-0 text-dark "> Only <code><</code> and <code>&</code> are required to be escaped if they are to be treated character data and not markup: </p> <p class="mb-0 text-dark "> <em><a href="http://www.w3.org/TR/xml11/#syntax" rel="nofollow noreferrer">2.4 Character Data and Markup</a></em> </p> <hr class="my-4"> <div> </div> </div> </div> </div> </div> </div> </p> </div> </div> <div class="col-xl-3"> <div class="d-flex flex-row justify-content-start align-items-center bg-light mb-3 mt-8 py-2 rounded"> <div class="flex-fill"> <span class="avatar avatar-xl "> <img src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/images/brand/qrcode_for_gh.jpg?t=20230125' class="rounded w-100 mx-2" alt="关注公众号,不定期副业成功案例分享"/> </span> </div> <div class="flex-fill text-left"> <div class="mx-1"> <h5 class="mb-2 mt-3 ">Follow WeChat</h5> <p>Success story sharing</p> </div> </div> </div> <div class="card card-bordered mb-0 card-hover cursor-pointer"> <div class="card-body"> <h4 class="py-2"> Want to <span class="text-danger">stay one step ahead</span> of the latest teleworks? </h4> <a type="button" class="btn btn-sm btn-outline-primary rounded-pill w-100" href="/admin/payments.html" >Subscribe Now</a> </div> </div> <div class="card mb-4 mt-4 border"> <div>  <div class="card-header"> <h4 class="mb-0">相似问题</h4> </div> <ul class="list-group list-group-flush"> <li class="list-group-item bg-transparent"> <a href="/qa/PkOx">What are invalid characters in XML</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/k31l">How do I escape ampersands in XML so they are rendered as entities in HTML?</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/8bQW">What characters are valid for JavaScript variable names?</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/mABv">How to parse XML and get instances of a particular node attribute?</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/jmqb">How do I comment out a block of tags in XML?</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/6KBv">What does <![CDATA[]]> in XML mean?</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/bl05">Escape @ character in razor view engine</a> </li> <li class="list-group-item bg-transparent"> <a href="/qa/lVbE">Which characters need to be escaped when using Bash?</a> </li> </ul> </div> </div> </div> </div> </div> </div>  <div class="pt-lg-10 pt-5 footer bg-white"> <div class="container"> <div class="row"> <div class="col-lg-4 col-md-6 col-12"> <div class="mb-4"> <img src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/images/brand/logo/logo.png?t=20230125' style="width:30%"> <div class="mt-4"> <p> HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable. </p> <div class="fs-4 mt-4"> <div class="btn-group dropup"> <button type="button" class="btn btn-primary dropdown-toggle fe fe-globe " data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> English </button> <div class="dropdown-menu"> <a class="dropdown-item" href="https://www.huntsbot.com/qa/XyJw/what-characters-do-i-need-to-escape-in-xml-documents?lang=zh_CN"> 简体中文 </a> <a class="dropdown-item" href="https://www.huntsbot.com/qa/XyJw/what-characters-do-i-need-to-escape-in-xml-documents?lang=en_US"> English </a> </div> </div> </div> </div> </div> </div> <div class="offset-lg-1 col-lg-2 col-md-3 col-6 hidden-less750"> <div class="mb-4"> <h3 class="fw-bold mb-3"> Platform </h3> <ul class="list-unstyled nav nav-footer flex-column nav-x-0"> <li> <a href="/telework.html" class="nav-link"> Outsource </a> </li> <li> <a href="/remote-job.html" class="nav-link"> Remote Job </a> </li> <li> <a href="/products.html" class="nav-link"> Products </a> </li> <li> <a href="/weekly.html" class="nav-link"> Newsletter </a> </li> <li> <a href="/pages/price.html" class="nav-link"> Pricing </a> </li> </ul> </div> </div> <div class="col-lg-2 col-md-3 col-6 hidden-less750"> <div class="mb-4"> <h3 class="fw-bold mb-3"> Support </h3> <ul class="list-unstyled nav nav-footer flex-column nav-x-0"> <li> <a href="/pages/about.html" class="nav-link"> About </a> </li> <li> <a href="/pages/faq.html" class="nav-link"> Frequently Asked Questions </a> </li> <li> <a href="/pages/faq.html" class="nav-link"> How to subscribe </a> </li> </ul> </div> </div> <div class="col-lg-3 col-md-12 hidden-less750">  <div class="mb-4"> <h3 class="fw-bold mb-3"> Contact US </h3> <p> Any questions or suggestions during use, you can contact us in the following ways: </p> <p> Email: <a href="mailto:huntsbot@xinbeitime.com"> huntsbot@xinbeitime.com </a> </p> </div> </div> </div> <div class="row align-items-center g-0 border-top py-2 mt-6">  <div class="col-lg-8 col-md-7 col-12"> <span class="fs-5"> Copyright© 2022-2023 www.huntsbot.com <a href="https://beian.miit.gov.cn/" rel="noindex,nofollow" target="_blank" class="text-reset">浙ICP备2022000860号-4</a> All Rights Reserved. </span> </div>  <div class="col-lg-4 col-md-5 col-12 d-md-flex justify-content-end hidden-less750"> <nav class="nav nav-footer"> <a class="nav-link ps-0" href="/pages/disclaimer.html" target="_blank"> Disclaimer </a> <a class="nav-link px-2 px-md-3" href="/pages/privacy_policy.html" target="_blank"> Privacy Policy </a> <a class="nav-link px-2 px-md-3" href="/pages/terms_of_ervice.html" target="_blank"> Terms of Service </a> </nav> </div> </div> </div> </div>  <div class="modal fade" id="showQrCodeModel" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true"> <div class="modal-dialog modal-sm" role="document"> <div class="modal-content "> <div class="modal-header"> <h5 class="modal-title " id="exampleModalLabel">微信公众号</h5> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"> </button> </div> <div class="modal-body"> <img src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/images/brand/qrcode_for_gh.jpg?t=20230125' class="rounded w-100" title="火星来客微信公众号" alt="火星来客微信公众号"> </div> </div> </div> </div> <div class="modal fade" id="modal-alert" tabindex="-1" role="dialog" aria-hidden="true"> <div class="modal-dialog modal-dialog-centered " role="document"> <div class="modal-content"> <div class="modal-header"> <h5 class="modal-title" id="modal-alert-title" >Tips</h5> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button> </div> <div class="modal-body" id="modal-alert-body"> </div> </div> </div> </div> <button type="button" class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#modal-alert" style="display:none" id="btn-common-alert"></button> <div class="modal fade" id="model-confirm" tabindex="-1" role="dialog" aria-hidden="true"> <div class="modal-dialog modal-dialog-centered modal-sm" role="document"> <div class="modal-content"> <div class="modal-body" id="modal-confirm-body"></div> <div class="modal-footer"> <button type="button" class="btn btn-secondary btn-sm" data-bs-dismiss="modal">No</button> <button type="button" class="btn btn-primary btn-sm" id="btn-confirm-yes" btn-type="ajaxButton">Yes</button> </div> </div> </div> </div> <button type="button" class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#model-confirm" style="display:none" id="btn-common-confirm" ></button> <script > function alertError(message){ alertError(message,"Tips"); } function alertError(message,title){ if(title){ $("#modal-alert-title").html(title); } $("#modal-alert-body").html(message); $("#btn-common-alert").trigger("click"); } function confirmDialog(confirmMessage,actionUrl,actionSuccessMsg){ $("#modal-confirm-body").html(confirmMessage); $("#btn-confirm-yes").attr("data-url",actionUrl); $("#btn-confirm-yes").attr("data-message",actionSuccessMsg); $("#btn-common-confirm").trigger("click"); } </script>   <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/jquery/dist/jquery.min.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/bootstrap/dist/js/bootstrap.bundle.min.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/bootstrap-select/dist/js/bootstrap-select.min.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/libs/jquery.form/jquery.form.js?t=20230125'></script> <script src='https://huntsbot-hz-assets.oss-cn-hangzhou.aliyuncs.com/huntsbot/assets/js/custom.js?t=20230125'></script> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?b25fc3fcffc44e8dff36dde049b4ebc1"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script> <script type="text/javascript"> (function(c,l,a,r,i,t,y){ c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)}; t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i; y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y); })(window, document, "clarity", "script", "fco75ff5x7"); </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-BTLS35QW08"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-BTLS35QW08'); </script> <script> (function(){ var el = document.createElement("script"); el.src = "https://lf1-cdn-tos.bytegoofy.com/goofy/ttzz/push.js?a01aa87a04ac652b13258f439e7407fed09ba9bea51f9e0f26ab91ccc91c1924bc434964556b7d7129e9b750ed197d397efd7b0c6c715c1701396e1af40cec962b8d7c8c6655c9b00211740aa8a98e2e"; el.id = "ttzz"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(el, s); })(window) </script> </body> </html>