HTML Comment Behavior

Question

So, I noticed while messing around in a Magento WYSIWYG editor (of all things) that <!> renders as <!----> in the resultant HTML. It also seems that enclosing any string in <! > renders a normal <!-- [string] --> comment. I only tested this in Chrome, but this behavior seems a little odd to me. I have looked at the W3C spec on comments, as well as this little document on the MDN. Neither gave me an answer I could really wrap my head around, though; what is the significance of the comment open delimiter ("--"), and if it is left out, how does <!> seem to always result in a proper comment? Is it, perhaps, my browser just getting rid of invalid markup? Why isn't <!> just rendered as text? I know this isn't important, or even pertinent to anything at all, but I am just curious!

Answer 1

Formally, the comment syntax in HTML up to HTML 4.01 is complicated, following the SGML standard, but in practice HTML was never implemented as an SGML application. An old page HTML comments by WDG briefly explains the HTML comment syntax and makes some practical notes on it. In practice, a comment should start with <!-- and end with -->. This is made formal in XHTML and in HTML5.

But browsers have implemented comment syntax more liberally, so that you can start them with <! and end with > (even though this is not official and causes an error message from an HTML5 validator). This has been described and prescribed as required browser behavior in HTML5 parsing rules, see section 8.2.4.45 Markup declaration open state, which defines how “bogus comment state” will be entered.

Thus, <! foo > actually works (and creates a comment node in the DOM), but it is forbidden in XHTML and in HTML5.

Answer 2

This is talked about in a XSS demo by OWASP YoutubeVideo around the 18 minute mark. But basically its the way the browser handles the comment because it surrounds whatever you put with -- -- so if you put <!-> it goes to five <!----->.