JSR-286 states that escapeXml defaults to true. This value is almost never appropriate. If you forget to set it to false explicitly (very common mistake) you get a very confusing and little explicit NullPointerException.
I suggest to throw a more explicit exception so that developpers don't loose a lot of time wondering why their apps don't work. I can provide the fix if requested.