XML Escape Online — Encode XML Special Chars

Encode the five XML predefined entities (<, >, &, ", ') so text is safe inside SOAP, RSS, OOXML, or SVG documents — 100% in your browser.

Raw Input

XML-Escaped Output

What is XML Escaping?

XML escaping replaces the five characters with syntactic meaning in XML — <, >, &, ", ' — with the predefined entities <, >, &, ", '. It is what every XML serialiser does for text nodes and attribute values to keep documents well-formed.

XML is stricter than HTML: a single un-escaped & in a text node makes the whole document invalid and triggers a parse error in every conformant parser. The OpenFormatter XML escape tool runs entirely in your browser — paste, escape, copy directly into your SOAP envelope, RSS feed, or OOXML payload.

How to escape XML online — 4 steps

Paste your text. Drop a string with <, >, &, ", or ' into the Input panel.
Click Escape. The five characters are replaced with the XML predefined entities. & is replaced first to avoid double-encoding.
Inspect the entities. Confirm every special character is now a &name; reference. Whitespace and Unicode are untouched.
Drop into your XML. Paste the escaped output into a text node, single-quoted attribute, or double-quoted attribute — all three contexts are safe.

Sample input and output

Raw input

<config>
  <message>Use & for "AND" — don't forget</message>
  <path value='/home/user'>file.xml</path>
</config>

XML-escaped output

&lt;config&gt;
  &lt;message&gt;Use &amp; for &quot;AND&quot; — don&apos;t forget&lt;/message&gt;
  &lt;path value=&apos;/home/user&apos;&gt;file.xml&lt;/path&gt;
&lt;/config&gt;

Well-Formed XML

Encodes exactly the five XML 1.0 predefined entities — the minimum and complete set required for any conformant XML document.

Injection Safe

Prevents XML injection where a malicious input could close a tag or alter attribute structure inside SOAP, OOXML, or config files.

Browser-Only

Encoding runs locally in JavaScript. SOAP requests and config payloads with secrets never leave the device.

Common use cases

check_circleBuilding SOAP request bodies with user-supplied parameters
check_circleGenerating RSS or Atom feed entries from CMS content
check_circleProducing OOXML / DOCX / XLSX content streams that include user text
check_circleAuthoring SVG documents with embedded labels containing special characters
check_circleWriting XML config files where dynamic values must remain valid
check_circleConstructing XLIFF or TMX translation files from source-text strings
check_circleGenerating WSDL or XSD comment text from documentation strings
check_circleEscaping log lines before embedding them in an XML report or audit trail

XML escape vs HTML escape

The two are nearly identical but diverge on apostrophe handling and named-entity availability. XML defines exactly five entities and uses ' for the single quote. HTML4 does not define ' (so most HTML escapers emit ') but supplies hundreds of additional named entities ( , ©, —) that are simply illegal in XML without a DTD declaration. If your XML document includes characters beyond ASCII, use the literal Unicode (UTF-8 handles it) or numeric character references — never HTML named entities.

Need to reverse the operation?

Use the XML Unescape tool to decode entities back to characters, or browse the full toolkit.

XML Unescape All Escape Tools XML Formatter

Frequently Asked Questions

What are the five XML predefined entities?

The XML 1.0 specification defines exactly five named entities: `<` (<), `>` (>), `&` (&), `"` ("), and `'` ('). Unlike HTML, XML does not include ` `, `©`, or any other named entities — those would have to be declared in a DTD or replaced with numeric character references.

How does XML escaping differ from HTML escaping?

Two ways. First, XML uses `'` for the apostrophe; HTML4 does not define `'` and tools typically emit `'`. Second, XML has only the five predefined entities — every other named entity from HTML (nbsp, copy, mdash, etc.) is invalid in XML unless declared. Use numeric references like ` ` instead.

Why must I escape `&` first?

If `<` were escaped before `&`, the resulting `<` itself contains `&`, and the next pass would re-escape it into `&lt;`. Escaping `&` first guarantees no entity reference produced by later passes is corrupted. Every correct XML serialiser follows this rule.

When should I use a CDATA section instead of escaping?

CDATA (`<![CDATA[ ... ]]>`) is best for large blocks of literal text — embedded scripts, code snippets, or pre-formatted markup — where escaping every `<` and `&` would be noisy. For short, dynamic values inside an attribute or text node, entity escaping is shorter and works in attributes (CDATA does not).

Do attributes need different escaping than text nodes?

Yes, slightly. Inside double-quoted attribute values you must escape `&`, `<`, and `"`. Inside single-quoted attributes you must escape `&`, `<`, and `'`. Escaping all five entities works in every context, which is why most serialisers do it unconditionally.

Will XML escaping affect Unicode characters?

No. UTF-8 XML documents handle every Unicode character natively. Only the five ASCII characters with XML syntactic meaning need escaping. Emoji, CJK ideographs, and accented Latin characters pass through unchanged and remain valid XML.

Is the apostrophe escape `'` always required?

Only inside single-quoted attribute values (`attr='it's'`). In text nodes and double-quoted attributes the literal `'` is fine. Most serialisers escape it unconditionally for consistency — it costs five extra bytes and removes a category of bug.

Can I copy the escaped output into a SOAP envelope?

Yes — XML escape output is exactly what SOAP envelopes, RSS/Atom feeds, OOXML/DOCX content, and SVG documents require for textual payloads. Drop the escaped string between your start and end tags and the surrounding XML stays well-formed.