diff --git a/.gitattributes b/.gitattributes
index 2c544f1..cf6a5e6 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,2 @@
-/example export-ignore
-/tests export-ignore
 .gitattributes export-ignore
 .gitattributes merge=ours
diff --git a/src/Spid/Saml.php b/src/Spid/Saml.php
index cb82367..4325e5e 100644
--- a/src/Spid/Saml.php
+++ b/src/Spid/Saml.php
@@ -70,7 +70,8 @@ public function getSPMetadata(): string
             <error>Your SP certificate file is not readable. Please check file permissions.</error>
 XML;
         }
-        $entityID = $this->settings['sp_entityid'];
+        
+        $entityID = htmlspecialchars($this->settings['sp_entityid'], ENT_XML1);
         $id = preg_replace('/[^a-z0-9_-]/', '_', $entityID);
         $cert = Settings::cleanOpenSsl($this->settings['sp_cert_file']);
 
@@ -88,7 +89,8 @@ public function getSPMetadata(): string
         </md:KeyDescriptor>
 XML;
         foreach ($sloLocationArray as $slo) {
-            $location = $slo[0];
+            
+            $location = htmlspecialchars($slo[0], ENT_XML1);
             $binding = $slo[1];
             if (strcasecmp($binding, "POST") === 0 || strcasecmp($binding, "") === 0) {
                 $binding = Settings::BINDING_POST;
@@ -105,9 +107,10 @@ public function getSPMetadata(): string
         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
 XML;
         for ($i = 0; $i < count($assertcsArray); $i++) {
+            $location = htmlspecialchars($assertcsArray[$i], ENT_XML1);
             $xml .= <<<XML
 
-        <md:AssertionConsumerService index="$i" isDefault="true" Location="$assertcsArray[$i]" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
+        <md:AssertionConsumerService index="$i" isDefault="true" Location="$location" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
 XML;
         }
         for ($i = 0; $i < count($attrcsArray); $i++) {