Open matthiasunt opened 2 years ago
This must be linked to: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md#escaping-of-sensitive-constructs
In your example the comments could indeed be removed still fulfilling the escaping of sensitive constructs rule.
I noticed that comments are not removed if they are placed inside curly brackets.
Example
The above code prints:
This also happens, if the brackets and comment are not nested inside a paragraph element (e.g.
{<!-- -->}
). Surprisingly, the comments is removed if there is a whitespace between bracket and comment (e.g.{<!-- -->}
).