From 9f6a37b34db3b61f9800fa6edd4e4a4883c307bc Mon Sep 17 00:00:00 2001
From: lumburr <87313750+lumburr@users.noreply.github.com>
Date: Fri, 27 May 2022 22:57:50 +0800
Subject: [PATCH] fix: comment has encoded (#257)

---
 lib/default.js   | 12 ++++++++++++
 lib/xss.js       |  2 +-
 test/test_xss.js |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/default.js b/lib/default.js
index 6495a99..3fb0ca3 100644
--- a/lib/default.js
+++ b/lib/default.js
@@ -159,6 +159,15 @@ function escapeHtml(html) {
   return html.replace(REGEXP_LT, "&lt;").replace(REGEXP_GT, "&gt;");
 }
 
+/**
+ * default escapeHtml function but dont escape comment
+ *
+ * @param {String} html
+ */
+function escapeHtmlNotComment(html) {
+  return html.replace(REGEXP_LT_NOT_COMMENT, "&lt;").replace(REGEXP_RT_NOT_COMMENT, "&gt;");
+}
+
 /**
  * default safeAttrValue function
  *
@@ -228,6 +237,8 @@ function safeAttrValue(tag, name, value, cssFilter) {
 // RegExp list
 var REGEXP_LT = /</g;
 var REGEXP_GT = />/g;
+var REGEXP_LT_NOT_COMMENT = /<(?!!--)/g;
+var REGEXP_RT_NOT_COMMENT = /(?<!--)>/g;
 var REGEXP_QUOTE = /"/g;
 var REGEXP_QUOTE_2 = /&quot;/g;
 var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
@@ -444,6 +455,7 @@ exports.onTagAttr = onTagAttr;
 exports.onIgnoreTagAttr = onIgnoreTagAttr;
 exports.safeAttrValue = safeAttrValue;
 exports.escapeHtml = escapeHtml;
+exports.escapeHtmlNotComment = escapeHtmlNotComment;
 exports.escapeQuote = escapeQuote;
 exports.unescapeQuote = unescapeQuote;
 exports.escapeHtmlEntities = escapeHtmlEntities;
diff --git a/lib/xss.js b/lib/xss.js
index 136bfac..8210182 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -87,7 +87,7 @@ function FilterXSS(options) {
   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
   options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
   options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
-  options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
+  options.escapeHtml = options.escapeHtml || (options.allowCommentTag ? DEFAULT.escapeHtmlNotComment : DEFAULT.escapeHtml);
   this.options = options;
 
   if (options.css === false) {
diff --git a/test/test_xss.js b/test/test_xss.js
index 8761834..deb8f92 100644
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -371,7 +371,7 @@ describe("test XSS", function() {
           "PT><![endif]--> END",
         { allowCommentTag: true }
       ),
-      "&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END"
+      "<!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--> END"
     );
     assert.equal(
       xss(