21Kas
XSS in HTML Context without < and >
I have a webpage that blindly removes < and > as hardcoded rule. I know XSS doesn't always need < and > since it is not needed in HTML attribute and javascript contexts.
But is it possible to carry out XSS in HTML context without < and >? I saw it is possible in UTF-7(IE) where they can be replaced by other characters to make a valid HTML construct. Is it possible to do in any other way?
Or is it true that for HTML contexts just stripping < and > is sufficient since without them everything is treated as plaintext?
