Sitemap <loc> entries are entity-escaped

Every sampled <loc> value escapes `&`, `<`, and `>` as XML entities. Unescaped `&` is the single most common cause of sitemap parse errors that drop product URLs silently.

What this check looks for

Per sitemaps.org, URLs inside <loc> must entity-escape the five XML reserved characters. An unescaped `&` is the most common offender — query strings need `&`. Unescaped reserved characters cause strict XML parsers to drop the entry or reject the document. We sample the first 100 <loc> entries of each sitemap document and report the first offending URL per resource.

Which AI surfaces it affects

Google AI Mode (UCP)60
Microsoft Copilot50
ChatGPT (ACP)30
Perplexity30
Meta AI30

Weighted against the live specs — ACP 2026-04-17, UCP 2026-04-08.

How to fix it

Entity-escape `&`, `<`, `>` in every <loc>

Shopify

Developer

Shopify's auto-generated sitemaps escape correctly. If failing on Shopify, a custom proxy is rebuilding the XML — fix it to escape.

BigCommerce

Developer

BigCommerce's `/xmlsitemap.php` escapes correctly. Inspect any CDN/edge worker rewriting URLs.

WooCommerce

A few minutes

Yoast / Rank Math escape correctly. A custom sitemap-generating plugin is the usual culprit.

Custom / headless

Developer

Use an XML library to write <loc> values — never string concatenation.

// Correct entity escaping
function xmlEscape(s) {
  return s.replace(/&/g, '&amp;')
          .replace(/</g, '&lt;')
          .replace(/>/g, '&gt;');
}

The spec it's pinned to

sitemaps.org — Entity escaping
The sitemaps.org protocol requires that URLs inside <loc> escape the five XML reserved characters. Unescaped `&` is the most common cause of XML parse errors that drop entries silently.

sitemaps.org — Entity escaping ↗

Does your store pass this check?

Run the full audit — 82 checks across five AI shopping surfaces. Most tools only check whether you get mentioned; we check whether an agent can buy from you.

Related discovery checks

← All 82 checks