Currently, the allowCommentTag option is not enough to preserve comments when used together with stripIgnoreTag or stripIgnoreTagBody. The following code can be used to reproduce the issue:
<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script>
var html = filterXSS(
'<span><!-- a comment --></span>',
{
allowCommentTag: true,
stripIgnoreTagBody: true,
}
);
alert(html);
</script>
This code, when ran in the browser, yields the value:
<span>[removed]</span>
While using stripIgnoreTag, it outputs:
<span></span>
The proposed fix is to consider the allowCommentTag when deciding whether to remove or preserve a tag.
Currently, the
allowCommentTag
option is not enough to preserve comments when used together withstripIgnoreTag
orstripIgnoreTagBody
. The following code can be used to reproduce the issue:This code, when ran in the browser, yields the value:
<span>[removed]</span>
While using
stripIgnoreTag
, it outputs:<span></span>
The proposed fix is to consider the
allowCommentTag
when deciding whether to remove or preserve a tag.