The solution is simple: don't build XPath expressions concatenating strings. Use variables as you would do in any other language. Say no to
and say yes to
How do you implement this in .NET? System.Xml.XPath namespace provides all functionality you need in XPathExpression/IXsltContextVariable classes, but using them directly is pretty much cumbersome and too geeky for the majority of developers who just love SelectNodes() method for its simplicity.
XPathCache.SelectSingleNode("//foo[bar=$var]", doc, new XPathVariable("var", "A'B'C\"D\""))
And this is not only stunningly simple, but safe - remember XPath injection attacks?
You can download latest Mvp.Xml v2.0 drop at our new project homepage at the Codeplex.