diff -r ad00dc1f8706 -r 54c79adfb694 includes/functions.php --- a/includes/functions.php Sat Oct 06 13:01:46 2007 -0400 +++ b/includes/functions.php Sat Oct 06 13:18:30 2007 -0400 @@ -1822,6 +1822,8 @@ $tag_whitelist = array_keys ( setupAttributeWhitelist() ); if ( !$filter_php ) $tag_whitelist[] = '?php'; + // allow HTML comments + $tag_whitelist[] = '!--'; $len = strlen($html); $in_quote = false; $quote_char = ''; @@ -1882,8 +1884,12 @@ } else { + // If not filtering PHP, don't bother to strip if ( $tag_name == '?php' && !$filter_php ) continue; + // If this is a comment, likewise skip this "tag" + if ( $tag_name == '!--' ) + continue; $f = fixTagAttributes( $attribs_only, $tag_name ); $s = ( empty($f) ) ? '' : ' '; @@ -1911,16 +1917,13 @@ } } - + // Vulnerability from ha.ckers.org/xss.html: //