Say, I have a page where the input from the user is taken and is passed through a simple client-side XSS filter. That filter only replaces < characters with ''.
in = in.replace(/[<]/g, '');
The input is then passed on to JQuery's html() method in order to embed the user input inside a <div> tag.
How can we bypass this simple XSS filter?
XSS in a simple HTML context without < is not possible. It would be possible in a HTML attribute context, JavaScript context, etc; but in a simple <div> tag, we need <.
I see no way to bypass the regex; It will always correctly remove all < characters from the string.
The only hope left is that the jQuery function .html might insecurely handle the input (eg decode values), which would allow us to bypass the filter. But there are no known vulnerabilities in .html that I am aware of.
Given the above, I would say that there is no vulnerability here.
