With 4.9 we moved to a custom wp_kses function to escape the variables containing HTML when escaping. It turns out wp_kses doesn't strip <!-- --> HTML comments that is commenting out valid HTML, but rather just encodes them so they're output to the page. If the comment is just text then it is removed.
This uses regex to strip all HTML comments to correct that so it'll remove both <!-- this is a comment --> as well as <!-- <div class="commented-out"></div> -->
This also adds display as an allowed CSS style for HTML filtering, but adding and removing the filter as we call wp_kses so it doesn't impact other uses.
With 4.9 we moved to a custom
wp_kses
function to escape the variables containing HTML when escaping. It turns outwp_kses
doesn't strip<!-- -->
HTML comments that is commenting out valid HTML, but rather just encodes them so they're output to the page. If the comment is just text then it is removed.This uses regex to strip all HTML comments to correct that so it'll remove both
<!-- this is a comment -->
as well as<!-- <div class="commented-out"></div> -->
This also adds
display
as an allowed CSS style for HTML filtering, but adding and removing the filter as we callwp_kses
so it doesn't impact other uses.Also adding a change to use the
init
hook for adding the plugin CSS because there is some instructions for using that hook for removing it available online