Here is the definition of what is allowed in an attribute value.
'"' ([^<&"] | Reference)* '"' | "'" ([^<&'] | Reference)* "'"
So, you can’t have:
- the same character that opens/closes the attribute value (either
'or") - a naked ampersand (
&must be&) - a left angle bracket (
<must be<)
You should also not being using any characters that are outright not legal anywhere in an XML document (such as form feeds, etc).