The only illegal characters are
&, < and > (as well as " or ' in attributes, depending on which character is used to delimit the attribute value