Question

-2

Is escaping < and > sufficient to block XSS attacks?

rated 0 times [ 2] [ 4] / answers: 1 / hits: 36235 / 13 Years ago, sun, april 17, 2011, 12:00:00

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to < and > doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

janettejordynm

Add To Favorites

Follow

Total Points: 550

Total Questions: 94

Total Answers: 98

Location: Senegal

Member since Fri, Aug 21, 2020

4 Years ago

janettejordynm questions

1 Chunk file upload with axios

Tue, Nov 24, 20, 00:00, 4 Years ago

1 Node unable to find module alias defined in tsconfig and package.json

Thu, Jun 18, 20, 00:00, 4 Years ago

1 How to check if an entered answer is correct with HTML code?

Sat, May 23, 20, 00:00, 4 Years ago

1 Can someone explain this piece of Javascript code?

Mon, Apr 6, 20, 00:00, 4 Years ago

1 AES Encryption/Decryption in Node JS similar to Java

Tue, Feb 18, 20, 00:00, 4 Years ago

View All

answered 13 Years ago osvaldo · Accepted Answer

When using an untrusted string in an attribute (quoted with ) you need to escape as &quot.

Otherwise you could easily inject javascript. For example, <a href={{str}}> with str being, for example, onmouseover='something-evil'.