0
votes

Is it possible to execute an XSS attack if all tags are removed from text? By tags meaning everything matching pattern "<...>" (regex: /<.*?>/g).

1

1 Answers

2
votes

Yes:

<img src=x onerror=alert(1)//

Don't invent your own filters. Encode for the contexts as described in the OWASP XSS Prevention Cheat Sheet.