wrbuf_printf(wrbuf, "<id>%s</id>\n", ht[i].id);
to the save XML entity-encoded form using wrbuf_xmlputs(..).
Left all wrbuf_printf statements involving integers as they are, for example
wrbuf_printf(c->wrbuf, "<hits>%d</hits>\n", stat.num_hits);
as these can not go wrong with the 5 XML entities.