I have a webpage that blindly removes <
and >
as hardcoded rule. I know XSS doesn't always need <
and >
since it is not needed in HTML attribute and javascript contexts.
But is it possible to carry out XSS in HTML context without <
and >
? I saw it is possible in UTF-7(IE) where they can be replaced by other characters to make a valid HTML construct. Is it possible to do in any other way?
Or is it true that for HTML contexts just stripping <
and >
is sufficient since without them everything is treated as plaintext?