Skip to content

handle abruptly-closed HTML comments

Mike Dalessio requested to merge flavorjones/libxml2:flavorjones-abruptly-closed-html-comments into master

The WHATWG "living spec" document provides guidance on how to handle "abruptly closed" HTML comments. Specifically, it suggests that parsers should interpret <!--> and <!---> to be empty comments.

https://html.spec.whatwg.org/multipage/parsing.html#parse-error-abrupt-closing-of-empty-comment

This guidance is non-normative, but popular modern browsers do follow this guidance (verified on Firefox and Chrome).

This merge request contains two commits:

  1. Introduce test coverage for how abruptly-closed comments are currently handled, to establish baseline behavior
  2. Update htmlParseComment to handle abruptly-closed comments, and update the tests with the new behavior

This patch is similar to !82 (closed) in that the difference in comment-handling may provide an opportunity for an XSS attack vector to emerge, if libxml2 is being used to sanitize the HTML. I acknowledge that libxml2's HTML parser isn't the best choice for sanitizing HTML5, but wanted to mention it as a rationale for submitting this patch.

Merge request reports