The WebDynpro UI framework does not decode the data it receives from the backend, it provides the string ‘as is‘ without pre-processing it, since the client libraries will be at risk if they decode the string.
The raw data, for instance in an Edm.String is encoded, so that it safely fits into the Atom XML body without corrupting the XML or injecting XML constructs. For example, a string containing <xml>This attack won’t work</xml> is automatically escaped, so the string content is just text and cannot be misinterpreted as XML elements.
<d:text> <xml> This attack won't work </xml> </d:text>
The client libraries will unescape the text when reconstructing the string content from the XML payload. So if you have a string that contains: