encoding - HTML: Should I encode greater than or not? ( > > )

Question

When encoding possibly unsafe data, is there a reason to encode >?

• It validates either way.
• The browser interprets the same either way, (In the cases of attr="data", attr='data', <tag>data</tag>)

I think the reasons somebody would do this are

• To simplify regex based tag removal. <[^>]+>? (rare)
• Non-quoted strings attr=data. :-o (not happening!)
• Aesthetics in the code. (so what?)

Am I missing anything?

Answer 1

Strictly speaking, to prevent HTML injection, you need only encode < as <.

If user input is going to be put in an attribute, also encode " as ".

If you're doing things right and using properly quoted attributes, you don't need to worry about >. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.