• caglararli@hotmail.com
  • 05386281520

XSS in HTML Context without < and >

Çağlar Arlı      -    8 Views

XSS in HTML Context without < and >

I have a webpage that blindly removes < and > as hardcoded rule. I know XSS doesn't always need < and > since it is not needed in HTML attribute and javascript contexts.

But is it possible to carry out XSS in HTML context without < and >? I saw it is possible in UTF-7(IE) where they can be replaced by other characters to make a valid HTML construct. Is it possible to do in any other way?

Or is it true that for HTML contexts just stripping < and > is sufficient since without them everything is treated as plaintext?