The "correct way to fix it" is to use an XML building module that automatically escapes things for you.
use strict;
use warnings;
use XML::Simple qw( :strict );
my $xml = '<foo><bar>blah&blah</bar></foo>';
my @opts = (KeepRoot=>1, KeyAttr=>[]);
my $data = XMLin($xml, ForceArray=>1, @opts);
use Data::Dump;
dd($data);
print(XMLout($data, @opts));
Output:
{ foo => [{ bar => ["blah&blah"] }] }
<foo>
<bar>blah&blah</bar>
</foo>
Note that the ampersand is unescaped in the first output line, then escaped again in the XML.
Also, don't use XML::Simple. Someone want to suggest a better module?