diff --git a/__tests__/auth.test.ts b/__tests__/auth.test.ts
index 3fa739c..7134e5c 100644
--- a/__tests__/auth.test.ts
+++ b/__tests__/auth.test.ts
@@ -82,4 +82,22 @@ describe('auth tests', () => {
     expect(fs.existsSync(m2Dir)).toBe(false);
     expect(fs.existsSync(settingsFile)).toBe(false);
   }, 100000);
+
+  it('escapes invalid XML inputs', () => {
+    const id = 'packages';
+    const username = 'bluebottle';
+    const password = '&<>"\'\'"><&';
+
+    expect(auth.generate(id, username, password)).toEqual(`
+  <settings>
+      <servers>
+        <server>
+          <id>${id}</id>
+          <username>${username}</username>
+          <password>&amp;&lt;&gt;&quot;&apos;&apos;&quot;&gt;&lt;&amp;</password>
+        </server>
+      </servers>
+  </settings>
+  `);
+  });
 });
diff --git a/dist/index.js b/dist/index.js
index 7d9c7bb..c7b1f98 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -4145,15 +4145,23 @@ function configAuthentication(id, username, password) {
     });
 }
 exports.configAuthentication = configAuthentication;
+function escapeXML(value) {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;');
+}
 // only exported for testing purposes
 function generate(id, username, password) {
     return `
   <settings>
       <servers>
         <server>
-          <id>${id}</id>
-          <username>${username}</username>
-          <password>${password}</password>
+          <id>${escapeXML(id)}</id>
+          <username>${escapeXML(username)}</username>
+          <password>${escapeXML(password)}</password>
         </server>
       </servers>
   </settings>
diff --git a/src/auth.ts b/src/auth.ts
index 1001b2c..ca43c20 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -27,15 +27,24 @@ export async function configAuthentication(
   }
 }
 
+function escapeXML(value: string) {
+  return value
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
 // only exported for testing purposes
 export function generate(id: string, username: string, password: string) {
   return `
   <settings>
       <servers>
         <server>
-          <id>${id}</id>
-          <username>${username}</username>
-          <password>${password}</password>
+          <id>${escapeXML(id)}</id>
+          <username>${escapeXML(username)}</username>
+          <password>${escapeXML(password)}</password>
         </server>
       </servers>
   </settings>