You don’t need the lt and gt tags to have a successful cross-site scripting (XSS) vulnerability
While it’s definitely easier if the “<” and “>” tags are allowed, one can “convince” the target website to run javascript even if the tags are escaped. For example we have this search box: Once we run the search, we…