diff --git a/src/engine/blocks.js b/src/engine/blocks.js
index ba9aac5bb..b3d87e49f 100644
--- a/src/engine/blocks.js
+++ b/src/engine/blocks.js
@@ -1,4 +1,5 @@
 var adapter = require('./adapter');
+var xmlEscape = require('../util/xml-escape');
 
 /**
  * @fileoverview
@@ -369,8 +370,12 @@ Blocks.prototype.blockToXML = function (blockId) {
     // Add any fields on this block.
     for (var field in block.fields) {
         var blockField = block.fields[field];
+        var value = blockField.value;
+        if (typeof value === 'string') {
+            value = xmlEscape(blockField.value);
+        }
         xmlString += '<field name="' + blockField.name + '">' +
-            blockField.value + '</field>';
+            value + '</field>';
     }
     // Add blocks connected to the next connection.
     if (block.next) {
diff --git a/src/util/xml-escape.js b/src/util/xml-escape.js
new file mode 100644
index 000000000..00ce5bff6
--- /dev/null
+++ b/src/util/xml-escape.js
@@ -0,0 +1,21 @@
+/**
+ * Escape a string to be safe to use in XML content.
+ * CC-BY-SA: hgoebl
+ * https://stackoverflow.com/questions/7918868/
+ * how-to-escape-xml-entities-in-javascript
+ * @param {!string} unsafe Unsafe string.
+ * @return {string} XML-escaped string, for use within an XML tag.
+ */
+var xmlEscape = function (unsafe) {
+    return unsafe.replace(/[<>&'"]/g, function (c) {
+        switch (c) {
+        case '<': return '&lt;';
+        case '>': return '&gt;';
+        case '&': return '&amp;';
+        case '\'': return '&apos;';
+        case '"': return '&quot;';
+        }
+    });
+};
+
+module.exports = xmlEscape;