HTML comments are part of the standard HTML. They only act as a comment in the code, having no effect on execution.

What can happen?

There are multiple legitimate uses of HTML comments, and they don’t per se constitute any vulnerability. However, the reasons we chose to include this in our findings is that HTML comments often expose sensitive information as well as store temporary code that should actually be in use.

Example of HTML Comments

W3schools’s example:

<!--This is a comment. Comments are not displayed in the browser-->
<p>This is a paragraph.</p>

Conditional Comment

There is a type of HTML comments called conditional comments. This is a deprecated Internet Explorer-only feature making it possible to run certain snippets of code only in the versions of Internet Explorer that you specify while other web browsers will see it as a regular comment.

We try to separate normal HTML comments and conditional comments, and will not show the latter in the report.

Example usage:

<!--[if IE 8]>
<link href="ie8only.css" rel="stylesheet">
<![endif]-->

Remediation

Look over the HTML comments to see if any of them could be considered a threat. If you believe this is the case, the right course of action is, of course, to mitigate the threat. Otherwise, mark the finding as “accepted risk” and we won’t bother you with it in future scans.

Resources