Escaping in XML is broken.
Unlike utf-8, in which there is a credible story in which one can check a sequence of bytes and determine if the bytes are likely encoded in utf-8, there is no such algorithm for XML escaping.
This trips up seasoned professionals every day.