Detectify
Knowledge Base

Back to Knowledge Base

Support Center

HTML Comments

Last Updated: Jul 25, 2016 09:37AM CEST

HTML comments are part of the standard HTML. They only act as a comment in the code, having no effect on execution.

What can happen?

There are multiple legitimate uses of HTML comments, and they don’t per se constitute any vulnerability. However, the reasons we chose to include this in our findings is that HTML comments often expose sensitive information as well as store temporary code that should actually be in use.

Example of HTML Comments

W3schools’s example:

<!--This is a comment. Comments are not displayed in the browser-->
​<p>This is a paragraph.</p>

Conditional Comment

There is a type of HTML comments called conditional comments. This is a deprecated Internet Explorer-only feature making it possible to run certain snippets of code only in the versions of Internet Explorer that you specify while other web browsers will see it as a regular comment.

We try to separate normal HTML comments and conditional comments, and will not show the latter in the report.

Example usage:

<!--[if IE 8]>
<link href="ie8only.css" rel="stylesheet">
​<![endif]-->

Remediation

Look over the HTML comments to see if any of them could be considered a threat. If you believe this is the case, the right course of action is, of course, to mitigate the threat. Otherwise, mark the finding as “accepted risk” and we won’t bother you with it in future scans.

Resources

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete