XML Entity Escaper/Unescaper

Escape the 5 XML special chars amp, lt, gt, apos, and quot

Escape and unescape the five predefined XML entities (& < > ' ") so text is safe inside XML elements and attributes. Strict, spec-correct, and runs entirely in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Which characters does XML require escaping?

XML predefines exactly five entities: ampersand becomes &, less-than becomes <, greater-than becomes >, apostrophe becomes ', and double quote becomes ". Of these, the ampersand and less-than are mandatory in text content; the others matter mostly inside attribute values.

XML is far stricter than HTML about entities: it predefines only five. This tool escapes those five characters so your text is well-formed inside XML elements and attributes, and unescapes them back to plain characters.

Why XML escaping matters

An XML parser is unforgiving. A single unescaped < or & in text content causes the entire document to be rejected as not well-formed — there is no “best-effort” parsing mode equivalent to a web browser’s HTML lenience. This means that data coming from user input, database fields, or external APIs must be escaped before being embedded in XML output.

The classic failure: a business name field containing Johnson & Johnson written directly into XML produces <name>Johnson & Johnson</name>. The parser stops at the ampersand and rejects the file. The correct form is <name>Johnson &amp; Johnson</name>.

The five predefined XML entities

XML defines exactly five named character references. Unlike HTML — which has hundreds — XML allows no others unless you declare them explicitly in a DTD:

& → &amp;     (must escape first, or the later passes create new ampersands)
< → &lt;
> → &gt;
' → &apos;
" → &quot;

The order matters for escaping: the ampersand must be replaced before any other character. If you escape < first and produce &lt;, then escape & you would turn &lt; into &amp;lt; — double-escaping the entity. Every correct XML escaper handles ampersand first.

When each entity is strictly required

ContextMandatoryOptional but safe
Element text content& and <>, ', "
Attribute in double quotes&, <, ">, '
Attribute in single quotes&, <, '>, "

In practice, escaping all five everywhere is the safest approach and is what this tool does by default. Partial escaping creates subtle bugs when the context changes or the XML is re-processed.

Unescape and numeric references

Unescaping reverses the five named references and also expands numeric references such as &#65; (decimal) and &#x41; (hexadecimal), both of which represent the letter A. Unknown named entities are left untouched — the tool never silently drops data.

A common trap: HTML entities in XML

If you are generating XML from an HTML templating engine, watch for HTML-only entities leaking in. &nbsp; (non-breaking space), &copy; (copyright symbol), and hundreds of others are valid in HTML but undefined in plain XML. An XML parser will reject them. The safe alternatives are the literal Unicode character (a real non-breaking space character in the file) or the numeric reference &#160; for non-breaking space.

The simplest approach: if you need content that has previously been through HTML processing, decode HTML entities first, then re-escape for XML using only the five valid XML entities.