What are the five predefined XML entities?

The five predefined XML entities are: & for &, < for , " for ", and ' for '. The ampersand must always be escaped first.

What is the difference between XML and HTML entity escaping?

XML defines only five named entities. HTML defines hundreds (like and ©). XML parsers do not recognize HTML-specific named entities — use numeric character references ( instead of ) in XML.

Does this tool decode numeric character references like ?

Yes. The unescape direction decodes both named entities (&, <, >, ", ') and numeric character references in both decimal (&#NNN;) and hex (&#xHH;) forms.

XML Escape / Unescape | Escape XML Entities Online

Character	Named Entity	Decimal Ref	Hex Ref
&	&	&	&
<	<	<	<
>	>	>	>
"	"	"	"
'	'	'	'

You are building an XML document, an RSS feed, or an SVG file and a product name contains an ampersand: AT&T. You paste it directly into an XML element and the XML parser immediately rejects the file with a “not well-formed” error. This tool escapes the & to & — and all the other reserved characters — in one click.

The Five Predefined XML Entities

XML defines exactly five characters that have special meaning in markup and must be escaped when they appear as literal data in element content or attribute values:

Character	Named Entity	Decimal Ref	Hex Ref	Meaning
`&`	`&`	`&`	`&`	Starts an entity reference or character reference
`<`	`<`	`<`	`<`	Starts a tag
`>`	`>`	`>`	`>`	Ends a tag
`"`	`"`	`"`	`"`	Ends a double-quoted attribute value
`'`	`'`	`'`	`'`	Ends a single-quoted attribute value

The & character is the most critical — it must always be the first to escape, because escaping any other character introduces an ampersand that would otherwise need escaping too.

When Each Character Must Be Escaped

& (ampersand): Must always be escaped in both element content and attribute values. Every & that is not the start of a valid entity or character reference is a well-formedness error.

< (less-than): Must always be escaped in element content and attribute values. It starts a tag in XML.

> (greater-than): Technically only required in the sequence ]]> (CDATA section end marker), but best practice is to always escape it for readability and to avoid future parsing issues.

" (double quote): Must be escaped in attribute values delimited by double quotes. Can appear unescaped in element content.

' (apostrophe / single quote): Must be escaped in attribute values delimited by single quotes. Can appear unescaped in element content and double-quoted attributes.

Practical rule: Escape all five characters everywhere. The cost is negligible and it prevents subtle bugs when content moves between element content and attribute positions.

Numeric Character References

Beyond the five named entities, XML supports numeric character references that can represent any Unicode code point:

Decimal: &#NNN; where NNN is the decimal code point. Example:   for non-breaking space (U+00A0), ☺ for ☺ (U+263A).
Hexadecimal: &#xHH; or &#XHHHH; where H is a hex digit. Example: © for © (U+00A9), 😀 for 😀 (U+1F600).

This tool’s unescape direction handles both named entities and numeric references. You can paste XML content containing any combination of &, <,  , ©, etc., and the tool decodes all of them.

XML vs HTML Entity Escaping

XML and HTML share the same five predefined entities, but HTML defines hundreds more named entities ( , ©, —, €, etc.). Standard XML parsers do not recognize HTML-specific named entities — they require numeric character references instead.

When writing XML (including XHTML, SVG, ATOM/RSS feeds), always use:

The five predefined XML named entities for the five reserved characters
Numeric character references for everything else (e.g.   not  )

When writing HTML5, you can use HTML named entities freely.

This tool follows the XML rules: it escapes only the five reserved characters and decodes both XML named entities and numeric character references.

Common XML Escaping Contexts

SVG files: Attribute values in SVG often contain URLs with & parameters (href="page?a=1&b=2") and text content may contain <, >, or " characters.

RSS and Atom feeds: Feed descriptions often contain HTML or Markdown that includes <, >, &, and ". These must be escaped or wrapped in a CDATA section.

XML configuration files: Property values in Spring XML, Maven POM files, ANT build files, and Android manifest files must escape & in connection strings, URLs with parameters, and any other values containing reserved characters.

SOAP web services: SOAP envelope bodies are XML documents. String values in SOAP messages must be properly XML-escaped.

Microsoft Office Open XML (DOCX, XLSX): Word and Excel files are ZIP archives containing XML. String values in these XML files follow standard XML escaping rules.

CDATA Sections as an Alternative

An alternative to escaping is wrapping content in a CDATA section:

<description><![CDATA[Price: 5 < 10 & cost > 3 "value"]]></description>

Inside <![CDATA[…]]>, all characters except the sequence ]]> are treated as literal text — no escaping needed. CDATA sections are most useful for embedding large blocks of HTML, code, or Markdown into XML.

The limitation: CDATA cannot be used in attribute values, and the sequence ]]> within the content itself must still be escaped (by splitting into adjacent CDATA sections).

Escaping in Programming Languages

Python

import xml.sax.saxutils as saxutils

# Escape element content
saxutils.escape("AT&T < 5 > 3")
# → 'AT&amp;T &lt; 5 &gt; 3'

# Escape attribute values (also escapes " and ')
saxutils.escape('<a href="url">', {'"': '&quot;', "'": '&apos;'})

JavaScript (Browser & Node.js)

function escapeXml(str) {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&apos;');
}

Java

import org.apache.commons.text.StringEscapeUtils;

String escaped = StringEscapeUtils.escapeXml11("AT&T <tag>");
// → "AT&amp;T &lt;tag&gt;"

Frequently Asked Questions

Does escaping > break anything? No. > is always a valid representation of > in XML, even where > would be allowed unescaped. Consistently escaping > is harmless and prevents subtle issues.

Can I use ' in HTML? ' is defined in XML and XHTML but was not part of the original HTML 4 spec. Modern HTML5 parsers support it, but for maximum compatibility in HTML contexts, use ' or ' instead.

What about control characters like \n, \r, \t? Newline, carriage return, and tab are legal in XML content without escaping. Other control characters (U+0000–U+001F except tab, newline, and CR) are illegal in XML documents and cannot be escaped with character references — they must be removed or the document will be invalid.

Is this tool safe for large documents? Yes. Processing runs entirely in your browser. There is no size limit imposed by the tool itself, though very large inputs may be slow depending on your device.

XML Formatter — format and beautify XML documents
JSON Escape / Unescape — escape strings for JSON contexts
URL Encoder / Decoder — percent-encode special characters for URLs

XML Escape / Unescape