The transform.XMLEscape function removes [disallowed characters] as defined in the XML specification, then escapes the result by replacing the following characters with [HTML entities]:
"→"'→'&→&<→<>→>\t→	\n→
\r→
For example:
{{ transform.XMLEscape "<p>abc</p>" }} → <p>abc</p>
When using transform.XMLEscape in a template rendered by Go’s [html/template] package, declare the string to be safe HTML to avoid double escaping. For example, in an RSS template:
layouts/_default/rss.xml
<description>{{ .Summary | transform.XMLEscape | safeHTML }}</description>