Which characters are Invalid (unless encoded) in an XML attribute?

I can't believe I can't find this information easily accessible, so:

1. Which characters cannot be incorporated in an XML attribute without entity-encoding them?

Obviously, you need to encode quotes. What about < and >? What else?

2. Where exactly is the official list?

Here is the definition of what is allowed in an attribute value.

'"' ([^<&"] | Reference)* '"'  |  "'" ([^<&'] | Reference)* "'" 

So, you can't have:

• the same character that opens/closes the attribute value (either ' or ")
• a naked ampersand (& must be &)
• a left angle bracket (< must be <)

You should also not being using any characters that are outright not legal anywhere in an XML document (such as form feeds, etc).

As per the (2) current recommendation, specifically regarding character data and Markup, they are (1) the ampersand (&), left angle bracket (<), right angle bracket (>) and both single-quote (') and double-quote (").

See 2.2 Characters in "Extensible Markup Language (XML) 1.0 (Third Edition)".

Note that, at least with .NET, if you are using the XML APIs to work with XML, then you won't have to worry about this. It's the reason not to treat XML as being text.