fix: comment has encoded (#257)

lib/default.js

@@ -159,6 +159,15 @@ function escapeHtml(html) {
   return html.replace(REGEXP_LT, "<").replace(REGEXP_GT, ">");
 }
 
+/**
+ * default escapeHtml function but dont escape comment
+ *
+ * @param {String} html
+ */
+function escapeHtmlNotComment(html) {
+  return html.replace(REGEXP_LT_NOT_COMMENT, "<").replace(REGEXP_RT_NOT_COMMENT, ">");
+}
+
 /**
  * default safeAttrValue function
  *
@@ -228,6 +237,8 @@ function safeAttrValue(tag, name, value, cssFilter) {
 // RegExp list
 var REGEXP_LT = /</g;
 var REGEXP_GT = />/g;
+var REGEXP_LT_NOT_COMMENT = /<(?!!--)/g;
+var REGEXP_RT_NOT_COMMENT = /(?<!--)>/g;
 var REGEXP_QUOTE = /"/g;
 var REGEXP_QUOTE_2 = /&quot;/g;
 var REGEXP_ATTR_VALUE_1 = /&#([a-zA-Z0-9]*);?/gim;
@@ -444,6 +455,7 @@ exports.onTagAttr = onTagAttr;
 exports.onIgnoreTagAttr = onIgnoreTagAttr;
 exports.safeAttrValue = safeAttrValue;
 exports.escapeHtml = escapeHtml;
+exports.escapeHtmlNotComment = escapeHtmlNotComment;
 exports.escapeQuote = escapeQuote;
 exports.unescapeQuote = unescapeQuote;
 exports.escapeHtmlEntities = escapeHtmlEntities;

lib/xss.js

@@ -87,7 +87,7 @@ function FilterXSS(options) {
   options.onIgnoreTag = options.onIgnoreTag || DEFAULT.onIgnoreTag;
   options.onIgnoreTagAttr = options.onIgnoreTagAttr || DEFAULT.onIgnoreTagAttr;
   options.safeAttrValue = options.safeAttrValue || DEFAULT.safeAttrValue;
-  options.escapeHtml = options.escapeHtml || DEFAULT.escapeHtml;
+  options.escapeHtml = options.escapeHtml || (options.allowCommentTag ? DEFAULT.escapeHtmlNotComment : DEFAULT.escapeHtml);
   this.options = options;
 
   if (options.css === false) {

test/test_xss.js

@@ -371,7 +371,7 @@ describe("test XSS", function() {
           "PT><![endif]--> END",
         { allowCommentTag: true }
       ),
-      "&lt;!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--&gt; END"
+      "<!--[if gte IE 4]&gt;&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;&lt;![endif]--> END"
     );
     assert.equal(
       xss(