fix(ngSanitize): sanitizer should not accept <!--> as a valid comment

According to http://validator.w3.org/ , <!--> is not a valid comment and neither is any comment containing the -- substring.
2026-03-17 07:40:22 +00:00 · 2013-08-17 19:09:28 -04:00 · 2013-08-17 19:09:28 -04:00 · 21e9e8cf68
commit 21e9e8cf68
parent bf512bb8ee
2 changed files with 36 additions and 3 deletions
--- a/src/ngSanitize/sanitize.js
+++ b/src/ngSanitize/sanitize.js
@ -210,9 +210,10 @@ function htmlParser( html, handler ) {

      // Comment
      if ( html.indexOf("<!--") === 0 ) {
-        index = html.indexOf("-->");
+        // comments containing -- are not allowed unless they terminate the comment
+        index = html.indexOf("--", 4);

-        if ( index >= 0 ) {
+        if ( index >= 0 && html.lastIndexOf("-->", index) === index) {
          if (handler.comment) handler.comment( html.substring( 4, index ) );
          html = html.substring( index + 3 );
          chars = false;
--- a/test/ngSanitize/sanitizeSpec.js
+++ b/test/ngSanitize/sanitizeSpec.js
@ -15,7 +15,7 @@ describe('HTML', function() {
  describe('htmlParser', function() {
    if (angular.isUndefined(window.htmlParser)) return;

-    var handler, start, text;
+    var handler, start, text, comment;
    beforeEach(function() {
      handler = {
          start: function(tag, attrs, unary){
@ -35,10 +35,42 @@ describe('HTML', function() {
          },
          end:function(tag) {
            expect(tag).toEqual(start.tag);
+          },
+          comment:function(comment_) {
+            comment = comment_;
          }
      };
    });

+    it('should parse comments', function() {
+      htmlParser('<!--FOOBAR-->', handler);
+      expect(comment).toEqual('FOOBAR');
+    });
+
+    it('should throw an exception for invalid comments', function() {
+      var caught=false;
+      try {
+        htmlParser('<!-->', handler);
+      }
+      catch (ex) {
+        caught = true;
+        // expected an exception due to a bad parse
+      }
+      expect(caught).toBe(true);
+    });
+
+    it('double-dashes are not allowed in a comment', function() {
+      var caught=false;
+      try {
+        htmlParser('<!-- -- -->', handler);
+      }
+      catch (ex) {
+        caught = true;
+        // expected an exception due to a bad parse
+      }
+      expect(caught).toBe(true);
+    });
+
    it('should parse basic format', function() {
      htmlParser('<tag attr="value">text</tag>', handler);
      expect(start).toEqual({tag:'tag', attrs:{attr:'value'}, unary:false});