javascript - without - Is escaping<and>sufficient to block XSS attacks?

xss without angle brackets (3)

No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet:

You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1]. Grab this and use the appropriate output encoding:


etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to &lt; and &gt; doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".