I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to < and > doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".

Not all XSS attacks include < or > at all, depending on where the data is being inserted.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Why_Can.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F

No. Here are a couple of examples where escaping <, >, ', " and & is not enough:

Example 1:

<a href="{{myUrl}}">

XSS Attack:

myUrl = "javascript:alert(1)"

Example 2:

<script>var page = {{myVar}};</script>

XSS Attack:

myVar = "1;alert(1)"

See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for ways of preventing these attacks.

No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet: http://ha.ckers.org/xss.html

You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1]. Grab this and use the appropriate output encoding:

Encoder.CssEncode()
Encoder.HtmlEncode()
Encoder.HtmlAttributeEncode()
Encoder.JavaScriptEncode()

etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.