After the beta-2 June this year, v1 of the WCF security guidance from Microsoft Patterns & Practices team is available now. Get it from its CodePlex site.
XML has a set of special characters that cannot appear in element/attribute names and values: &, <, >, ” and ‘. For example, <entityText>Mark & Spencer’s</entityText> is not valid. The valid equivalent is <companyName>Mark & Spencer's</companyName>. Here is the list of XML special characters and their entity names:
There is a nice utility method in .NET which does this conversion when working with such XML: System.Security.SecurityElement.Escape().