Escape control values as xml entities instead of html

Click escapes Control values and attributes using HTML entities, which doesn't play nice when returning XML payloads for Ajax requests.

I suggest we only escape dangerous HTML characters > < " ' &, with the option of switching escaping off.

Is there any reason to escape all HTML entities?

PS: Apostrophe should be escaped as "& #039;" not "& apos;". apos is not a valid HTML entity