When to CDATA vs. Escape & Vice Versa?

CDATA is primarily useful, IMO, for human readability. As far as a machine is concerned, there's no difference between CDATA and escaped text other than the length, at most. Perhaps the escaped version will take a little bit longer to process, but I say perhaps, because this shouldn't be a significant factor unless your application is mostly IO-bound.

Are people likely to be reading the XML? If not, just let the XML parser do what it does and don't worry about CDATA vs escaped text. If people will be reading this XML, then perhaps CDATA can be the better choice.

If you're going to have an XML element whose value is XML, then for this case, CDATA may be the better choice.

For more information, see for example the XML FAQ's question, When should I use a CDATA Marked Section?

I've seen people use CDATA for the above which is OK, and for wrapping things that are not XML - such as e.g. JSON or CSS - and that's a better reason to use it. The problem happens when people use it to quote element-based markup such as HTML, and then the confusion happens.

People do not expect

<![CDATA[<foo>bar</foo>]]>

to be identical to

<foo>bar</foo>

as far as XML systems are concerned.

See RSS tag soup for examples of the horror of escaping levels.

You also have to be sure that the character sequence ']]>' will never appear in your wrapped data since that's the terminator.

So unless readability is paramount or you are wrapping non-element markup, I recommend avoiding CDATA.

I think that there is no real difference. I prefer to use CDATA for everything because I don't have to care about the characters to escape and the only thing I must take care of are the "]]>" in the content, which btw ARE allowed if you split the CDATA opening and closing tags into multiple fragments.

Example (in PHP)

<?phpfunction getXMLContent($content){    if    (        (strpos($content, '<') !== false) ||        (strpos($content, '>') !== false) ||        (strpos($content, '&') !== false) ||        (strpos($content, '"') !== false) ||        (strpos($content, '\'') !== false)    )    {        // If value contains ']]>', we need to break it into multiple CDATA tags        return "<![CDATA[". str_replace(']]>', ']]]]><![CDATA[>', $content) ."]]>";    }    else    {        // Value does not contain any special characters which needs to be wrapped / encoded / escaped        return $content;    }}echo getXMLContent("Hello little world!");echo PHP_EOL . PHP_EOL;echo getXMLContent("This < is > a & hard \" test ' for ]]> XML!");?>

Returns

Hello little world!<![CDATA[This < is > a & hard " test ' for ]]]]><![CDATA[> XML!]]>

If you put that into a XML structure like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><test>    <![CDATA[This < is > a & hard " test ' for ]]]]><![CDATA[> XML!]]></test>

... save it to a file (like test.xml) and open it with a browser, you'll see, that the browser (or any other XML application / parser) will show you the correct ouput string:

This < is > a & hard " test ' for ]]> XML!