Solution 1 :

Depends where you use the user input.

If you use it inside a a href=, then well: no!

<a href="{{linkFromUser}}">

and then that could be javascript:alert('oh no');

and a browser will execute it if the link is pressed, in the context of your page.

Solution 2 :

To clarify, the answer is in a comment of the accepted answer.

Lux kindly linked a document confirming that a similar approach of entity encoding < is enough to prevent scripts running inside inner html content (which pretty much answers my question). However & also needs to be encoded and the UTF7 XSS charset should be avoided (apparently).

Problem :

On the front-end is it possible to catch all XSS attacks by removing < from user content? This seems a simple way to disable malicious code, and currently I have no use-cases that would require < to be preserved. Will this work in all cases?

The way I would display user content would always be as inner html, e.g.

<div>{USER CONTENT}</div>


Comment posted by Thum Choon Tat

You could also escape the character, depending on where you place the value

Comment posted by The sleeping wombat

Yes thank you. I have updated my question to clarify my expected usage.

Comment posted by here

have a look

Comment posted by The sleeping wombat

Nice one. I think that answers my question.