Is escaping < and > sufficient to block XSS attacks?
Not all XSS attacks include < or > at all, depending on where the data is being inserted.
When using an untrusted string in an attribute (quoted with "
) you need to escape "
as "
.
Otherwise you could easily inject javascript. For example, <a href="{{str}}">
with str
being, for example, " onmouseover='something-evil'"
.
No. Here are a couple of examples where escaping <
, >
, '
, "
and &
is not enough:
Example 1:
<a href="{{myUrl}}">
XSS Attack:
myUrl = "javascript:alert(1)"
Example 2:
<script>var page = {{myVar}};</script>
XSS Attack:
myVar = "1;alert(1)"
See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for ways of preventing these attacks.