I once made a consumer for an xml api. I made a simple regex hack that worked fine. After reading some rants about "parsing" xml with regex I swapped it out for a real parser.
A few minutes later the parsings started failing because there were unescaped <> characters in attributes. Reported the bug, got a wontfix back.
I reverted to regex and it has been working fine ever since.
If there are unescaped <> chars in the "xml" then it's NOT xml and the API shouldn't be called "xml" but "plain text made to look a little like xml".
The people producing such garbage should be ashamed of themselves and should be publicly shamed.
Of course, as a consumer of the API we often don't have any power over the producer and have to swallow what we're given as is; but even in that case the correct approach is to have a first step of cleaning/correcting the xml (with something like Beautiful soup for example) and then feeding the clean xml to a proper parser.
A few minutes later the parsings started failing because there were unescaped <> characters in attributes. Reported the bug, got a wontfix back.
I reverted to regex and it has been working fine ever since.