这取决于上下文。对于内容，它是<和&，和]]>(尽管是一个由三个字符组成的字符串而不是一个字符)。

对于属性值，它是<、&、"和'。

对于CDATA，为[]>。

如果要处理字符数据而不是标记，则只有<和&需要转义:

2.4字符数据和标记

这取决于上下文。对于内容，它是<和&，和]]>(尽管是一个由三个字符组成的字符串而不是一个字符)。

对于属性值，它是<、&、"和'。

对于CDATA，为[]>。

公认的答案不正确。最好是使用一个库来转义xml。

正如在另一个问题中提到的

基本上，控制字符和超出Unicode范围的字符是不允许的。这也意味着，例如，调用字符实体是禁止的。”

如果你只转义这五个字符。您可能会遇到这样的问题:发现了一个无效的XML字符(Unicode: 0xc)

对一个老问题的新的、简化的回答……

简化XML转义(有优先级，100%完成)

Always (90% important to remember) Escape < as &lt; unless < is starting a <tag/> or other markup. Escape & as &amp; unless & is starting an &entity;. Attribute Values (9% important to remember) attr=" 'Single quotes' are ok within double quotes." attr=' "Double quotes" are ok within single quotes.' Escape " as &quot; and ' as &apos; otherwise. Comments, CDATA, and Processing Instructions (0.9% important to remember) <!-- Within comments --> nothing has to be escaped but no -- strings are allowed. <![CDATA[ Within CDATA ]]> nothing has to be escaped, but no ]]> strings are allowed. <?PITarget Within PIs ?> nothing has to be escaped, but no ?> strings are allowed. Esoterica (0.1% important to remember) Escape control codes in XML 1.1 via Base64 or Numeric Character References. Escape ]]> as ]]&gt; unless ]]> is ending a CDATA section. (This rule applies to character data in general – even outside a CDATA section.)

对于标签和属性，转义字符是不同的。

标签:

 < &lt;
 > &gt; (only for compatibility, read below)
 & &amp;

属性:

" "
' '

从字符数据和标记:

The ampersand character (&) and the left angle bracket (<) must not appear in their literal form, except when used as markup delimiters, or within a comment, a processing instruction, or a CDATA section. If they are needed elsewhere, they must be escaped using either numeric character references or the strings " &amp; " and " &lt; " respectively. The right angle bracket (>) may be represented using the string " &gt; ", and must, for compatibility, be escaped using either " &gt; " or a character reference when it appears in the string " ]]> " in content, when that string is not marking the end of a CDATA section. To allow attribute values to contain both single and double quotes, the apostrophe or single-quote character (') may be represented as " &apos; ", and the double-quote character (") as " &quot; ".