Depends where you use the user input.
If you use it inside a a href=, then well: no!
<a href="{{linkFromUser}}">
and then that could be javascript:alert('oh no');
and a browser will execute it if the link is pressed, in the context of your page.
To clarify, the answer is in a comment of the accepted answer.
Lux kindly linked a document confirming that a similar approach of entity encoding < is enough to prevent scripts running inside inner html content (which pretty much answers my question). However & also needs to be encoded and the UTF7 XSS charset should be avoided (apparently).
On the front-end is it possible to catch all XSS attacks by removing < from user content? This seems a simple way to disable malicious code, and currently I have no use-cases that would require < to be preserved. Will this work in all cases?
The way I would display user content would always be as inner html, e.g.
<div>{USER CONTENT}</div>
You could also escape the character, depending on where you place the value
Yes thank you. I have updated my question to clarify my expected usage.
have a look
Nice one. I think that answers my question.