You do need to encode it, because it is XML. So, the value will be "<img src="Images/ etc.
You can refer to http://www.w3schools.com/xml/xml_syntax.asp
] for special characters.
I would recommend putting it into a settings table in the database and possibly even breaking up your onclick into a different field. Your trying to cram a lot into an xml value, but it should work if you get the syntax right.