Fix breaking out of comments

Author: wooorm

lib/index.js

@@ -8,6 +8,7 @@ module.exports = wrapper
 var own = {}.hasOwnProperty
 
 var allData = 'data*'
+var commentEnd = '-->'
 
 var nodeSchema = {
   root: {children: all},
@@ -326,7 +327,15 @@ function handleDoctype(schema) {
 }
 
 function handleComment(schema) {
-  return schema.allowComments ? {value: handleValue} : null
+  return schema.allowComments ? {value: handleCommentValue} : null
+}
+
+// See <https://html.spec.whatwg.org/multipage/parsing.html#serialising-html-fragments>
+function handleCommentValue(schema, value) {
+  var val = typeof value === 'string' ? value : ''
+  var index = val.indexOf(commentEnd)
+
+  return index === -1 ? val : val.slice(0, index)
 }
 
 // Sanitize `value`.

test.js

@@ -68,6 +68,22 @@ test('sanitize()', function(t) {
       'should allow `comment`s with `allowComments: true`'
     )
 
+    st.equal(
+      html(sanitize(u('comment', {toString: toString}), {allowComments: true})),
+      '<!---->',
+      'should ignore non-string `value`s with `allowComments: true`'
+    )
+
+    st.equal(
+      html(
+        sanitize(u('comment', 'alpha--><script>alert(1)</script><!--bravo'), {
+          allowComments: true
+        })
+      ),
+      '<!--alpha-->',
+      'should not break out of comments with `allowComments: true`'
+    )
+
     st.end()
   })