@@ -14,15 +14,38 @@ test('`comment`', function(t) {
1414 t . deepEqual (
1515 to ( u ( 'comment' , 'AT&T' ) ) ,
1616 '<!--AT&T-->' ,
17- 'should not encode `comment`s (#1) '
17+ 'should not encode `comment`s'
1818 )
1919
20- // No way to get around this.
21- t . deepEqual (
22- to ( u ( 'comment' , '-->' ) ) ,
23- '<!---->-->' ,
24- 'should not encode `comment`s (#2)'
25- )
20+ // https://html.spec.whatwg.org/multipage/syntax.html#comments
21+ // Optionally, text, with the additional restriction that the text must not
22+ // start with the string `>`, nor start with the string `->`, nor contain the
23+ // strings `<!--`, `-->`, or `--!>`, nor end with the string `<!-`.
24+ var matrix = [
25+ [ '>a' , '>a' ] ,
26+ [ '->a' , '->a' ] ,
27+ [ 'a<!--b' , 'a<!--b' ] ,
28+ [ 'a-->b' , 'a-->b' ] ,
29+ [ 'a--!>b' , 'a--!>b' ] ,
30+ [ 'a<!-' , 'a<!-' ] ,
31+ // Not at start:
32+ [ 'a>' ] ,
33+ [ 'a->' ] ,
34+ // Not at end:
35+ [ 'a<!-b' ]
36+ ]
37+
38+ matrix . forEach ( function ( d ) {
39+ var input = d [ 0 ]
40+ var output = d [ 1 ] || d [ 0 ]
41+ var ok = d [ 1 ] === undefined
42+
43+ t . deepEqual (
44+ to ( u ( 'comment' , input ) ) ,
45+ '<!--' + output + '-->' ,
46+ 'security: should ' + ( ok ? 'allow' : 'prevent' ) + ' `' + input + '`'
47+ )
48+ } )
2649
2750 t . end ( )
2851} )
0 commit comments