diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/converter/StringConverter.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/converter/StringConverter.java
index b6d81e93..3957a9bb 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/converter/StringConverter.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/converter/StringConverter.java
@@ -16,19 +16,20 @@ import java.util.HashSet;
 import java.util.Set;
 import java.util.function.Function;
 
-import ch.ethz.seb.sebserver.gbl.Constants;
-import ch.ethz.seb.sebserver.webservice.servicelayer.client.ClientCredentialService;
-import ch.ethz.seb.sebserver.webservice.servicelayer.sebconfig.impl.ExamConfigXMLParser;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
+import ch.ethz.seb.sebserver.gbl.Constants;
 import ch.ethz.seb.sebserver.gbl.model.sebconfig.AttributeType;
 import ch.ethz.seb.sebserver.gbl.model.sebconfig.ConfigurationAttribute;
 import ch.ethz.seb.sebserver.gbl.model.sebconfig.ConfigurationValue;
 import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
 import ch.ethz.seb.sebserver.gbl.util.Utils;
+import ch.ethz.seb.sebserver.webservice.servicelayer.client.ClientCredentialService;
 import ch.ethz.seb.sebserver.webservice.servicelayer.sebconfig.AttributeValueConverter;
+import ch.ethz.seb.sebserver.webservice.servicelayer.sebconfig.impl.ExamConfigXMLParser;
 
 @Lazy
 @Component
@@ -43,8 +44,6 @@ public class StringConverter implements AttributeValueConverter {
                     AttributeType.DECIMAL,
                     AttributeType.COMBO_SELECTION)));
 
-
-
     private static final String XML_TEMPLATE = "<key>%s</key><string>%s</string>";
     private static final String XML_TEMPLATE_EMPTY = "<key>%s</key><string />";
 
@@ -95,8 +94,10 @@ public class StringConverter implements AttributeValueConverter {
             final String template,
             final String emptyTemplate) throws IOException {
 
-        final String val = (value != null && value.value != null) ? value.value : attribute.getDefaultValue();
-        String realName = AttributeValueConverter.extractName(attribute);
+        final String val = StringEscapeUtils.escapeXml10((value != null && value.value != null)
+                ? value.value
+                : attribute.getDefaultValue());
+        final String realName = AttributeValueConverter.extractName(attribute);
         if (StringUtils.isNotBlank(val)) {
             out.write(Utils.toByteArray(String.format(
                     template,
@@ -123,7 +124,7 @@ public class StringConverter implements AttributeValueConverter {
 
         // decrypt internally encrypted password and hash it for export
         // NOTE: see special case description in ExamConfigXMLParser.createConfigurationValue
-        String plainText = this.clientCredentialService.decrypt(value).toString();
+        final String plainText = this.clientCredentialService.decrypt(value).toString();
         if (plainText.endsWith(Constants.IMPORTED_PASSWORD_MARKER)) {
             return plainText.replace(Constants.IMPORTED_PASSWORD_MARKER, StringUtils.EMPTY);
         } else {