diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1f1137b..9be58d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ All notable changes to [tiny-svg](https://github.com/bpmn-io/tiny-svg) are docum
___Note:__ Yet to be released changes appear here._
+## 4.1.3
+
+* `FIX`: escape entities in attributes ([#16](https://github.com/bpmn-io/tiny-svg/issues/16))
+
## 4.1.2
* `CHORE`: make `clear` work standalone
diff --git a/lib/util/serialize.js b/lib/util/serialize.js
index 83a1511..24152f7 100644
--- a/lib/util/serialize.js
+++ b/lib/util/serialize.js
@@ -3,7 +3,7 @@
*/
var TEXT_ENTITIES = /([&<>]{1})/g;
-var ATTR_ENTITIES = /([\n\r"]{1})/g;
+var ATTR_ENTITIES = /([&<>\n\r"]{1})/g;
var ENTITY_REPLACEMENT = {
'&': '&',
diff --git a/test/spec/innerSVG.js b/test/spec/innerSVG.js
index 2410f46..ee1505e 100644
--- a/test/spec/innerSVG.js
+++ b/test/spec/innerSVG.js
@@ -218,6 +218,41 @@ describe('inner-svg', function() {
expect(svg).to.eql(text);
});
+
+ it('should escape <> in attributes', function() {
+
+ // given
+ var container = createContainer();
+ var element = appendTo(create('svg'), container);
+
+ var text = '';
+
+ innerSVG(element, text);
+
+ // when
+ var svg = innerSVG(element);
+
+ // then
+ expect(svg).to.eql(text);
+ });
+
+
+ it('should escape & in attributes', function() {
+
+ // given
+ var container = createContainer();
+ var element = appendTo(create('svg'), container);
+
+ var text = '';
+
+ innerSVG(element, text);
+
+ // when
+ var svg = innerSVG(element);
+
+ // then
+ expect(svg).to.eql(text);
+ });
});
});
\ No newline at end of file