Depends where you use the user input.
If you use it inside a
a href=, then well: no!
and then that could be
and a browser will execute it if the link is pressed, in the context of your page.
To clarify, the answer is in a comment of the accepted answer.
Lux kindly linked a document confirming that a similar approach of entity encoding
< is enough to prevent scripts running inside inner html content (which pretty much answers my question). However
& also needs to be encoded and the
UTF7 XSS charset should be avoided (apparently).
On the front-end is it possible to catch all XSS attacks by removing
< from user content? This seems a simple way to disable malicious code, and currently I have no use-cases that would require
< to be preserved. Will this work in all cases?
The way I would display user content would always be as inner html, e.g.
Yes thank you. I have updated my question to clarify my expected usage.
Nice one. I think that answers my question.