From 2501b190ab16ba997557537725df4633b7e96e02 Mon Sep 17 00:00:00 2001
From: "Cheng-Han, Wu" <jackymaxj@gmail.com>
Date: Tue, 16 Feb 2016 09:51:22 -0600
Subject: [PATCH] Updated to support html comment tag in XSS

---
 public/js/render.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/public/js/render.js b/public/js/render.js
index fada589..18da145 100644
--- a/public/js/render.js
+++ b/public/js/render.js
@@ -1,10 +1,11 @@
+var whiteListTag = ['style', '!--'];
 var whiteListAttr = ['id', 'class', 'style'];
 
 var filterXSSOptions = {
     allowCommentTag: true,
     onIgnoreTag: function (tag, html, options) {
         // allow style in html
-        if (tag === 'style') {
+        if (whiteListTag.indexOf(tag) !== -1) {
             // do not filter its attributes
             return html;
         }