Is replacing : < and> with < and> enough to prevent XSS injection?

Question

I want to know if entiting the two marks < and > is enough to prevent XSS injections?

And if not, why? And what\'s the best solution?

Answer 1

You should also take doublequotes ", singlequotes ' and ampersands & into account. If you do that all during displaying/generating the output, then yes, it's enough.

You should only ensure that you do this for any user-controlled input, such as request parameters, request URL, request headers and user-controlled input which is been stored in a datastore.

In PHP you can do that with htmlspecialchars() and in JSP cou can do that with JSTL .