Short Answer:

No, removing all < characters does not guarantee safety. It's not a complete protection against XSS.

Detailed Explanation:

Removing < characters eliminates traditional HTML tag-based XSS vectors, but XSS isn't limited to just <script> or tag-based injections. There are several reasons why this approach is incomplete and insecure:

1. Other injection vectors still exist

Even without <, some browsers and environments may parse attribute values, URL schemes, or CSS content dangerously.

<a href="javascript:alert(1)">Click me</a>

No <script>, but still triggers JS if the input controls href.

2 Entities and character encodings

Attackers can use character entities like:

<script>alert(1)</script>

Some systems decode these back into <script>, especially if decoding happens at the browser layer or during sanitization.

3. Context-aware XSS

HTML injection

JavaScript context injection (e.g., inside event handlers or inline scripts)

CSS context injection (style="url(javascript:...))

If your app injects user data into inline JS, HTML attributes, or styles, removing < isn't enough.

Correct Way to Sanitize:

Use context-aware escaping or sanitization libraries, such as:

DOMPurify (for HTML sanitization)

Lodash _.escape (for basic escaping)

React's dangerouslySetInnerHTML — only use with sanitized content!

Conclusion:

Removing < may reduce risk but doesn’t make content fully safe. Always sanitize input based on context (HTML, JS, CSS, URLs). Use a library — not custom regex.