I'm serving static html, and I want them to be sent to the client without the <!-- comment --> comments, as they can compromise security.
Is there any way to do this?
Something similar to Razor's @* comment *@ but for html...
Asked
Active
Viewed 116 times
2 Answers
2
If you are talking about removing the comments from the HTML files themselves, you can of course open them in NotePad and remove the comments manually. But I think you are talking about removing them in real time when the page is sent to the browser. You want the comments to remain in the static files.
If you are running IIS in classic mode, you will not be able to remove the comments in real time with ASP.NET code. But if you are running IIS in integrated pipeline mode, you can hook into the request/response pipeline and postprocess the HTML file, and do whatever you want to it, e.g. in the EndRequest event handler.
Not sure of the specifics of parsing a page and finding the HTML comments to remove them-- could be tricky-- looks like someone else asked this question and there are a couple answers in there you could explore.
0
You could write the comments in between Razor's comment tags instead of the html comment tags. Those won't be visible on the front-end.
Besides this, you are printing anything you put in an html file as text (server-side scripts like Razor and PHP excluded). There is no way to take comments out of static html unless you minify them on the server through a tool. But since you state they are static html pages, I'm guessing you aren't using any tools at all?
You could use tools like http://www.willpeavy.com/minifier/ , for example.
The security risks of leaving comments in shouldn't be all that bad. You shouldn't be putting valuable information in HTML comments in the first place. They are nowadays mostly used for showing where an element starts and/or ends for when other programmers take over.
Your javascript is visible on the website as well. Let's say you work with ajax calls and a database. This would create much more risk than some HTML comments. Obviously, you just have to make sure you don't share important information that would cause security issues in client-side comments.
If it is an automated system serving the html and you can remove the comments before giving it out, you could use a function like this:
You could use the Html Agility Pack .NET library. Here is an article that explains how to use it on SO: How to use HTML Agility pack
This is the C# code to remove comments:
HtmlDocument doc = new HtmlDocument();
doc.Load("yourFile.htm");
// get all comment nodes using XPATH
foreach (HtmlNode comment in doc.DocumentNode.SelectNodes("//comment()"))
{
comment.ParentNode.RemoveChild(comment);
}
doc.Save(Console.Out); // displays doc w/o comments on console
Source: Removing HTML Comments (You can find lots more options here)
It'll be a simple matter of triggering such a function before saving the html to a static file, or editing the existing file to filter out the comments.
Community
- 1
- 1
NoobishPro
- 2,539
- 1
- 12
- 23
-
As the file is static, any Razor tags I will put will render on the page as text. Also I'm was looking for a method to do this automatically when serving the files... Not by hand. But you do have a point. If I need to comment my html, maybe it means I need to simplify it... ;) – Shy Agam Sep 07 '16 at 12:35
-
I didn't know you meant the file was static. I thought you meant only the html was. In that case it's not possible unless you throw the file into some kind of filter, first. Do you deliver the static file manually or through an automated C# process? If it's through an automated process, you could put in a function to remove the comments first. - as I've said in my answer; it's not possible to hide html comments. – NoobishPro Sep 07 '16 at 12:37
-
The files are served through an MVC controller – Shy Agam Sep 07 '16 at 12:38
-
Updated my answer. – NoobishPro Sep 07 '16 at 12:48