Input special character in search string when handled at server side

Question

I'm testing a project I'm working on. Here I've put a filter on server side(Java) to redirect the page to Error page whenever I encounter any HTML tag like regex(URL Encoded is also checked) in query string. As per my skill set, it's working fine. But I'm very much sure it's not the end. There must be a way to still enter the vector to execute XSS script.

Examples : <hello> redirects to error page
%3Chello%3E converts to <hello> and redirected to error page
%253Chello%253E converts to %3Chello%3E & page works fine as no HTML tag is found.

Answer 1

1. The approach you're trying is black-list approach which is to search for bad characters (IE <, >) and redirect to an error page and\or encode it. This is the wrong approach. You should use a white list of permitted characters and redirect to an error page if the input contains any non-permitted characters. One way to enforce this approach is regular expressions: ^[a-zA-Z0-9]*$ or ^[\s\w]*$. Adding both client validation and server validation would keep you safe and error-free (unless a hacker tries to bypass the client validation in which in this case the server validation would stop him). If you try to guess the attacker's method you are destined to fail.
2. The right way to encode user originated input to prevent XSS is HTML Encoding, not URL encoding (not %3Chello%3E, but >hello<).
3. If you encode the user input you don't have to redirect the user to an error page as the examples you gave and the ones that I gave are harmless

4. Having said that, here is an example of XSS without < and >: Let's say a page receives a picture file name and displays it, and does not encode the quote character:

   https://contoso.com/displaypic?source=111.jpg
   
   <img src="111.jpg"></img>
   

   If you access this URL, you have yourself XSS:

   https://contoso.com/displaypic?source=a"+onerror="alert('XSS')
   
   <img src="a" onerror="alert('XSS')"></img>