OWASP · jfbyers · Dec 15, 2023 · Mar 22, 2024 · Mar 22, 2024 · Sep 24, 2024
diff --git a/src/main/java/org/owasp/html/HtmlLexer.java b/src/main/java/org/owasp/html/HtmlLexer.java
@@ -476,6 +476,7 @@ private static enum State {
     COMMENT,
     COMMENT_DASH,
     COMMENT_DASH_DASH,
+    COMMENT_DASH_AFTER_BANG,
     DIRECTIVE,
     DONE,
     BOGUS_COMMENT,
@@ -640,17 +641,30 @@ && canonicalElementName(start + 2, end)
                 case BANG:
                   if ('-' == ch) {
                     state = State.BANG_DASH;
+                  } else if('>' == ch) { // <!> is a valid html comment
+                    state = State.DONE;
+                    type = HtmlTokenType.COMMENT;
                   } else {
                     state = State.DIRECTIVE;
                   }
                   break;
                 case BANG_DASH:
                   if ('-' == ch) {
-                    state = State.COMMENT;
+                    state = State.COMMENT_DASH_AFTER_BANG;
                   } else {
                     state = State.DIRECTIVE;
                   }
                   break;
+                case COMMENT_DASH_AFTER_BANG:
+                  if ('>' == ch) { // <!--> is a valid html comment
+                    state = State.DONE;
+                    type = HtmlTokenType.COMMENT;
+                  } else if ('-' == ch) { // <!---> is a valid html comment
+                    state = State.COMMENT_DASH_AFTER_BANG;
+                  } else {
+                    state = State.COMMENT;
+                  }
+                  break;
                 case COMMENT:
                   if ('-' == ch) {
                     state = State.COMMENT_DASH;
@@ -665,6 +679,8 @@ && canonicalElementName(start + 2, end)
                   if ('>' == ch) {
                     state = State.DONE;
                     type = HtmlTokenType.COMMENT;
+                  } else if ('!' == ch) {  // --!> is also valid closing sequence
+                    state = State.COMMENT_DASH_DASH;
                   } else if ('-' == ch) {
                     state = State.COMMENT_DASH_DASH;
                   } else {

diff --git a/src/test/java/org/owasp/html/HtmlLexerTest.java b/src/test/java/org/owasp/html/HtmlLexerTest.java
@@ -121,6 +121,45 @@ public static final void testShortTags() {
         "TAGEND: >");
   }
 
+  @Test
+  public static final void testCommentDeclarationWith0CommentsAndXss() throws Exception
+  {
+    //check https://datatracker.ietf.org/doc/html/rfc1866#section-3.2.5
+    assertTokens("<!><img src=1 onError=alert(\"nice\")>",
+            "COMMENT: <!>",
+            "TAGBEGIN: <img",
+            "ATTRNAME: src",
+            "ATTRVALUE: 1",
+            "ATTRNAME: onError",
+            "ATTRVALUE: alert(\"nice\")",
+            "TAGEND: >"
+    );
+  }
+
+  @Test
+  public static final void testAbruptClosingOfEmptyComment() throws Exception
+  {
+    assertTokens("<!--><img>a<!--->b<!->c",
+            "COMMENT: <!-->",
+            "TAGBEGIN: <img",
+            "TAGEND: >",
+            "TEXT: a",
+            "COMMENT: <!--->",
+            "TEXT: b",
+            "SERVERCODE: <!->c"
+    );
+  }
+
+  @Test
+  public static final void testIncorrectlyClosedComment() throws Exception
+  {
+    assertTokens("<!-- Comment --!><img>",
+            "COMMENT: <!-- Comment --!>",
+            "TAGBEGIN: <img",
+            "TAGEND: >"
+    );
+  }
+
   private static void lex(String input, Appendable out) throws Exception {
     HtmlLexer lexer = new HtmlLexer(input);
     int maxTypeLength = 0;