Changed all wrbuf_printf statements involving strings, like

wrbuf_printf(wrbuf, "<id>%s</id>\n", ht[i].id);
to the save XML entity-encoded form using wrbuf_xmlputs(..).

Left all  wrbuf_printf statements involving integers as they are, for example
wrbuf_printf(c->wrbuf, "<hits>%d</hits>\n", stat.num_hits);
as these can not go wrong with the 5 XML entities.

Tested, and working, Bug #1163 closed.