MSO tags will be escaped

[Alvis-Li]

<!--[if !mso]><!--> Code <!--<![endif]--> is going to be escaped as <!--[if !mso]><!--> Code &lt;!--<![endif]-->

@leizongmin Any Suggestions? Or how to avoid it.

[andrey-skl]

Same for me, I could not make this markup to be escaped properly:

<!--[if !mso]><!-->
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<!--<![endif]-->

[leizongmin]

@andrey-skl What do you expect to get from this input html?

[andrey-skl]

@leizongmin Thanks for your response!

Given that my options are, say:

{ 
  allowCommentTag: true,
  whiteList: {} // say nothing is allowed
}

I would expect it to preserve these comments as is:

<!--[if !mso]><!-->

<!--<![endif]-->

But actual result is:

<!--[if !mso]><!-->

&lt;!--<![endif]-->

While debugging the library, I found that the reason is that the last <!--<![endif]--> is not parsed as a single tag because it has "<" symbol inside, and it triggers new tag parsing here https://github.com/leizongmin/js-xss/blob/master/lib/parser.js#L63

Just for the reference, here are all such tags that are often used for emails markup https://stackoverflow.design/email/base/mso/

[leizongmin]

@andrey-skl Did you mean that you expect when setting allowCommentTag=true, the content between <!-- and --> is not processed?

[andrey-skl]

@leizongmin in my case, I would like comment tags to stay as is. Sorry, I forgot to mention a "hack" that makes it work like that for me:

  onIgnoreTag: (tag, html, options) => {
    if (tag.startsWith('!--') || tag.startsWith('![endif')) {
      return html;
    }
    return '';
  },

If we drop this hack it renders

  <!--[if !mso]><!-->
  <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
  <!--<![endif]-->

Which maybe is correct, but not what I need.

If you think this is not possible to preserve these comments tags, it's okay