Is escaping < and> sufficient to block XSS attacks?

Question

I\'m sure that the answer to this question is No, but I can\'t seem to find a way that simply transforming < and > to < and <

Answer 1

When using an untrusted string in an attribute (quoted with ") you need to escape " as ".

Otherwise you could easily inject javascript. For example, with str being, for example, " onmouseover='something-evil'".