Escaping < Good Enough to Prevent XSS Attacks

Question

I'm having a debate with one of my colleagues over how to prevent an XSS attack through the encoding of specific characters. Will escaping the < character with < do the trick?

When I review the attack vector cheat sheet published by OWASP, it seems that all attacks use the < character as the basis of execution.

If this does not work, what attack would beat it?

Answer 1

No, for the HTML body you will also need to encode the & character to prevent an attacker from potentially escaping the escape.

Check out the XSS Experimental Minimal Encoding Rules:-

HTML Body (up to HTML 4.01):

• HTML Entity encode < &

• specify charset in metatag to avoid UTF7 XSS

XHTML Body:

• HTML Entity encode < & >

• limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets

Note that if you want to enter stuff inside of an attribute value, then you need to properly encode all characters with special meaning. The XSS (Cross Site Scripting) Prevention Cheat Sheet mentions to encode the following characters:-

&,<, >, ", ', /

You must also quote the attribute value for the escaping to be effective.