When generating XML it's important to escape (e.g. replace with entities) all strings. This is important for two reasons:
1) to produce valid XML
2) to protect against injection attacks
The best way to produce valid and safe XML is to build a DOM tree and serialize it. In fact many parts of CMS do this via the XMLObject class. However, for some reason CMSServlet.outputXML just uses println() in a naive fashion.
By the way, I've filed a number of bugs in the last couple of days. I've got patches for many of them and I'll attach the patches to the bug reports shortly.
patch provided in bz #531953 solves this problem
Patch included in in bug #533979 (attachment #373874 [details]) is committed.