[whatwg] Unterminated comments in <textarea>, <script>, <style>, <title>, and <iframe>

Adam Barth whatwg at adambarth.com
Thu Jun 26 22:12:26 PDT 2008

Recently, I've been testing how browser parsers handle unterminated
<!-- comments -->.  Internet Explorer 7, Firefox 3, Safari 3.1, and
Opera 9.5 agree on the following cases:


Essentially, they treat the <!-- as if it did not start a comment.
Ian pointed out on IRC that this might be a security vulnerability
because the result of parsing the stream depends on whether the parser
hung or terminated at the end of the stream.  (If the parser had hung,
it would be awaiting more characters for the comment.)

The above browsers almost agree for on the behavior for <title>:


Internet Explorer 7, Firefox 3, and Opera 9.5 treat treat <!-- as if
it did not start a comment.  Safari 3.1 differs slightly and only uses
the portion before the <!-- as the title, but otherwise parses the
remainder of the document as if <!-- did not start a comment.

The above browsers differ in their handling of unterminated comments
for the <iframe> element:


Internet Explorer 7 and Safari 3.1 follow the spec and consume the
remainder of the document in the comment.  Firefox 3 and Opera 9.5
treat <!-- as if it did not start a comment.

As I understand it, browser behavior for <textarea>, <script>,
<style>, and <title> differs from the spec.  It is unclear whether
browsers will change to match the spec, especially because the
<script> element might contain <!-- sequences in string literals or
regular expressions (e.g.,


More information about the whatwg mailing list