Is escaping < and> sufficient to block XSS attacks?

Question

I\'m sure that the answer to this question is No, but I can\'t seem to find a way that simply transforming < and > to < and <

Answer 1

No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet: http://ha.ckers.org/xss.html

You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1]. Grab this and use the appropriate output encoding:

Encoder.CssEncode()
Encoder.HtmlEncode()
Encoder.HtmlAttributeEncode()
Encoder.JavaScriptEncode()

etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.