Use the encode_entities function from the HTML::Entities module:

use HTML::Entities;
my $text = ...;
my $encoded_text = encode_entities($text);
[download]

If you want to force the use of numeric (hexadecimal) character references, you can use the encode_entities_numeric function.

The other issue is that you shouldn't be mixing text and entity encoded text in the same string. For instance, if you have a string with contents &, you should first decode that string so that it is represented by the single character string &. Then after you are done manipulating it, re-encode it to use entity references using the encode_entities function. From the way you describe your problem, it sounds like you could be running into this issue. If you describe more about how your XML is being generated, we can tell you if indeed this is the case or not.