Here are the issues:
1. Using Filtered HTML input format comments are removed. I think it shouldn't do this or it should allow the !-- tag to be added (it doesn't do that either).
2. If the comments have some html tags inside, the result is even worse. <!-- comment <p>comment</p> --> will result in comment -->. If my previous statement is arguable, now for sure something is wrong. It should either remove the comment or (ideally IMO) let it untouched.
3. Finally, using Full HTML will not strip the comment, but because of the line brake filter if you write 

<!-- comment -->
<!-- comment <p>comment</p> -->

it will output in source view 

<p><!-- comment --><br /><!-- comment
<p>comment</p>
<p> --></p>

. The problem is that on normal view you will see some empty lines and will not know why they are there.

The patch gives you the option to add <!--> as an allowed tags. If the tag is not allowed the comment is removed for good, with everything inside it, html code included (takes care of problem #1 and #2)
It ignores html comments when doing the autop processing (problem #3).

I removed the test because... it will not pass. DOMDocument treats comments as they are, which is text so it will not add a rel="nofollow" to a link inside a comment. That test now passes only because the comments tags are removed and the link is actually displayed (problem #2).

CommentFileSizeAuthor
#12 drupal.filter-comments.12.patch15.83 KBsun
#2 559584-3-html-filter-and-comments.patch4.25 KBtic2000
html-filter-and-comments.patch4.24 KBtic2000
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Status: Needs review » Needs work

The last submitted patch failed testing.

tic2000’s picture

tic2000 CreditAttribution: tic2000 commented
Status: Needs work » Needs review
FileSize
559584-3-html-filter-and-comments.patch4.25 KB
Heine’s picture

Heine CreditAttribution: Heine commented

Important backgrounds (duplicates?):

#69430-3: Comments containing HTML are broken (only leading tag is stripped)
#103563: HTML filter escaping html comments

Status: Needs review » Needs work

The last submitted patch failed testing.

lilou’s picture

lilou CreditAttribution: lilou commented
Status: Needs work » Needs review

HEAD is broken.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Needs review » Needs work 
+++ includes/common.inc	28 Aug 2009 08:50:30 -0000
@@ -1503,11 +1505,20 @@
+  $comment = &$matches[4];
+  
+  if ($comment) {
+    $elem = '!--';
+  }
...
+  
+  if ($comment) {
+    return $comment;
+  }

Needs inline comments explaining what's being done here.

+++ modules/filter/filter.module	28 Aug 2009 08:50:30 -0000
@@ -954,7 +954,8 @@
       // Opening or closing tag?
-      $open = ($chunk[1] != '/');
+      $open = ($chunk[1] != '/' || $chunk[1] != '!');
+      $comment = (substr($chunk, 0, 4) == '<!--');

Likewise, inline comment needs to be updated.

+++ modules/filter/filter.module	28 Aug 2009 08:50:30 -0000
@@ -963,7 +964,7 @@
       // Only allow a matching tag to close it.
-      elseif (!$open && $ignoretag == $tag) {
+      elseif ((!$open && $ignoretag == $tag) || $comment) {

ditto, explaining special case of $comment

I'm on crack. Are you, too?

neochief’s picture

neochief CreditAttribution: neochief commented
Status: Needs work » Closed (duplicate)

#222926: HTML Corrector filter escapes HTML comments

gpk’s picture

gpk CreditAttribution: gpk commented
Status: Closed (duplicate) » Needs work

Re-opening per #222926-119: HTML Corrector filter escapes HTML comments. The point being that with the refactoring of the HTML corrector in #374441: Refactor Drupal HTML corrector (PHP5) it is a different beast in 7.x. Specifically,

1) in 6.x HTML comments get escaped, whereas in 7.x they get removed (i.e. #374441 partially fixed the problem)
2) this issue and #222926 need different approaches to fix them

rfay’s picture

rfay
Primary language English
Location Palisade, CO, USA
CreditAttribution: rfay commented

subscribe

markus_petrux’s picture

markus_petrux CreditAttribution: markus_petrux commented

subscribe

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Title: Handling of html comments in filter module » Broken HTML comments due to filter_xss() and Filter module filters
Priority: Normal » Major

Better title. Major, as this is regression from D6.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Title: Broken HTML comments due to filter_xss() and Filter module filters » filter_xss() and Line break filter break HTML comments
Status: Needs work » Needs review
FileSize
drupal.filter-comments.12.patch15.83 KB

1) Apparently, there almost no tests for the Line break filter. Bad!

2) For filter_xss(), we have lots of XSS tests, but not a single assertion that verifies that non-XSS stuff stays as is. Bad!

3) FilterUnitTestCase contains old and duplicated tests for check_plain(), which is already tested elsewhere. If required, I'm going to move those clean-ups into a separate issue.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Needs review » Fixed

This looks good. Committed to CVS HEAD.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.