From 21e9e8cf68ef007136da6cc212d2f1f252fb668a Mon Sep 17 00:00:00 2001
From: R. Merkert
Date: Sat, 17 Aug 2013 19:09:28 -0400
Subject: fix(ngSanitize): sanitizer should not accept <!--> as a valid comment

According to http://validator.w3.org/ , <!--> is not a valid comment
and neither is any comment containing the -- substring.
---
 src/ngSanitize/sanitize.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js
index 3d904ad1..ffee51df 100644
--- a/src/ngSanitize/sanitize.js
+++ b/src/ngSanitize/sanitize.js
@@ -210,9 +210,10 @@ function htmlParser( html, handler ) {
 
       // Comment
       if ( html.indexOf("<!--") === 0 ) {
-        index = html.indexOf("-->");
+        // comments containing -- are not allowed unless they terminate the comment
+        index = html.indexOf("--", 4);
 
-        if ( index >= 0 ) {
+        if ( index >= 0 && html.lastIndexOf("-->", index) === index) {
           if (handler.comment) handler.comment( html.substring( 4, index ) );
           html = html.substring( index + 3 );
           chars = false;
-- 
cgit v1.2.3