Why shouldn't I put user input in HTML comments?

The relevant entries in the HTML5 Security Cheatsheet are:

  • Ending HTML comments with a backtick character: html5sec#133 (IE6, IE8)
  • Injecting XSS or with a conditional comment html5sec#115 (older IE, IE quirks mode)

Apart from that user input might be used to change this comment into a conditional comment (IE only) and thus change the DOM or block the execution of script after the comment. This could change the behavior of the page in an unintended way.


If untrusted data can be everything, we could inject for example --><script>alert("I just escaped the HTML comment")</script><!-- which would make it appear in source code like: <!----><script>alert("I just escaped the HTML comment")</script><!---->(Note the empty comments)

Tags:

Html

Xss