With 4.9 we moved to a custom wp_kses function to escape the variables containing HTML when escaping. It turns out wp_kses doesn't strip <!-- --> HTML comments that is commenting out valid HTML, but rather just encodes them so they're output to the page. If the comment is just text then it is removed.
This uses regex to strip all HTML comments to correct that so it'll remove both <!-- this is a comment --> as well as <!-- <div class="commented-out"></div> -->
This also adds display as an allowed CSS style for HTML filtering, but adding and removing the filter as we call wp_kses so it doesn't impact other uses.
With 4.9 we moved to a custom
wp_ksesfunction to escape the variables containing HTML when escaping. It turns outwp_ksesdoesn't strip<!-- -->HTML comments that is commenting out valid HTML, but rather just encodes them so they're output to the page. If the comment is just text then it is removed.This uses regex to strip all HTML comments to correct that so it'll remove both
<!-- this is a comment -->as well as<!-- <div class="commented-out"></div> -->This also adds
displayas an allowed CSS style for HTML filtering, but adding and removing the filter as we callwp_ksesso it doesn't impact other uses.Also adding a change to use the
inithook for adding the plugin CSS because there is some instructions for using that hook for removing it available online