---
title: xml_escape
summary: null
url: >-
  https://www.fastly.com/documentation/reference/vcl/functions/strings/xml-escape
---


Escapes characters from a string using XML-style escape sequences.

This function does not understand UTF-8 encoded Unicode text
(like for example JSON), but instead handles it byte by byte.
Characters are escaped according to the rules described in Section 2.4
of the [XML 1.0 W3C Recommendation](https://www.w3.org/TR/xml).

The escaping rules are as follows:

* The ampersand character (`&`) will be represented as `&`.
* The left angle bracket character (`<`) will be represented as `&lt;`.
* The right angle bracket character (`>`) will be represented as `&gt;`.
* The single-quote character (`'`) will be represented as `&apos;`.
* The double-quote character (`"`) will be represented as  `&quot;`.
* If none of the above matched, the byte is passed through as-is.

Other bytes are passed through verbatim.

Some examples:


| Input             | xml\_escape()      |
|:------------------|:-------------------|
| `abc123`          | `abc123`           |
| `romeo&juliet`    | `romeo&amp;juliet` |
| `0 < 1`           | `0 &lt; 1`         |
| `isn't`           | `isn&apos;t`       |

We recommend using
`utf8.is_valid()`
to check that your data represents a valid UTF-8 string before calling
`xml_escape`.

## Example

```vcl
# var.escaped is set to: <city>london</city>
declare local var.escaped STRING;
set var.escaped = "<city>" + xml_escape(client.geo.city.ascii) + "</city>";
```