iz_
hubs
February 23, 2026 IZHubs

How to Decode XML Entities Safely

Stop your parsers from crashing. Learn what XML entities are, why they break systems, and how to decode them properly in JavaScript.

When processing external RSS feeds or archaic SOAP responses, developers frequently encounter sudden parsing crashes pointing to an “Unexpected Character”. Most of the time, this occurs because the developer forgot to run an xml decode function on the payload.

Unlike JSON, which handles a variety of special characters natively inside its quoted strings, Extensible Markup Language (XML) is incredibly restrictive when it comes to five specific characters.

The 5 Forbidden Characters

In XML, the angle brackets (< and >) define the start and end of layout tags. If an actual data value happens to contain a bracket, the parser will mistakenly interpret the data as a broken layout tag, resulting in a fatal crash.

To pass these symbols safely inside a data structure, they must be “escaped” into specific XML entities:

  1. < becomes &lt; (Less-than)
  2. > becomes &gt; (Greater-than)
  3. & becomes &amp; (Ampersand)
  4. becomes &quot; (Double-quote)
  5. becomes &apos; (Apostrophe/Single-quote)

Consider a company named “Barnes & Noble”. In an XML document, it must be structured as <company>Barnes &amp; Noble</company>. If you see Barnes & Noble literally, the XML is mathematically invalid.

How to Decode XML in JavaScript

If you pull that XML string into a frontend React application, the user doesn’t want to see “Barnes & Noble” on their screen. You must xml decode the string back to its original human-readable format.

Because JavaScript (DOMParser) natively executes within a browser environment, it provides a built-in, secure method for decoding these entities by leveraging hidden HTML text nodes.

function decodeXMLEntities(encodedString) {
    // Create an invisible textarea in memory
    const textarea = document.createElement("textarea");
    
    // Assign the encoded string as raw HTML
    textarea.innerHTML = encodedString;
    
    // Return the native, decoded text value
    return textarea.value;
}

console.log(decodeXMLEntities("Barnes &amp; Noble")); 
// Output: Barnes & Noble

Moving Beyond Raw XML

Constantly decoding and manipulating RAW markup strings via JavaScript is a recipe for cross-site scripting (XSS) vulnerabilities.

The industry standard approach is to instantly convert legacy XML data streams into modern, secure JSON format the moment they hit the client. To do this safely, paste your minified payloads into our local XML Format Converter tool, which handles entity decoding automatically.

If the resulting JSON still looks mangled due to massive strings wrapped in backslashes (\"), read our tutorial covering How to Clean Escaped JSON data.

If the data is perfectly clean but your stakeholders demand it in a Microsoft Excel format instead of objects, read our heavy architectural breakdown regarding XML to CSV Translations.