Is my site safe from XSS if I replace all '<' with '&lt;'?

I'm wondering what the bare minimum to make a site safe from XSS is.

If I simply replace < with &lt; in all user submitted content, will my site be safe from XSS?

Answers


Depends hugely on context.

Also, encoding less than only isn't that flash of an idea. You should just encode all characters which have special meaning and could be used for XSS...

  • <
  • >
  • "
  • '
  • &

For a trivial example of where encoding the less than won't matter is something like this...

Welcome to Dodgy Site. Please link to your homepage.

Malicious user enters...

http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;

Which obviously becomes...

<a href="http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;">View user's website</a>

Had you encoded double quotes, that attack would not be valid.


Need Your Help

Polymorphic custom model binder not populating model w/ values

c# asp.net-mvc asp.net-mvc-3 model-binding

I have a custom model binder that I'm using to return the appropriate model sub-type based on a hidden value containing the original type.

Trying to add a JPanel that uses CardLayout to a JFrame

java swing layout-manager cardlayout

I can't spot the mistake, when I run I get a blank frame

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.