The XMLLayout does not escape special characters like " and ">" if they appear in the logger name, level or thread name. Most likely they would result in an non-well formed XML, but you could use a specially crafted thread name to change the severity or logger name for the error.
I have added a method sanitize4XML to ...helpers.Transform and changed XMLLayout accordingly. TestCase and the two new files will be attached to this bug. A patch-file will be attached later.
Created attachment 19109 [details] Patched Transform.java
Created attachment 19110 [details] Patched XMLLayout.java
Created attachment 19112 [details] TestCase for org.apache.log4j.helpers.Transform.sanitize4XML()
Thread name seems like it would be a problem sometimes. escapeTags should probably be patched, rather than create a new method. A & character in HTML is still not valid, for instance. Otherwise looks good.
I agree this needs to be addressed, but I don't particular like the patch as it does not address other XMLLayout related issues like the presence of ]]> within message text which will result in a early termination of the CDATA section.
XSLTLayout added in issue 43077 should not have the same issue on special characters.
Problem also affects HTMLLayout. Committed tests and fixes (similar but not identical to submissions) in rev 564779 (on log4j 1.2 branch). CDATA end sequence did appear to be properly escaped when it appeared in message text.