Dev Moviit Dev Moviit - 2 months ago 12
ASP.NET (C#) Question

ASP.NET: Is there a way to serve static html files without programming comments?

I'm serving static html, and I want them to be sent to the client without the

<!-- comment -->
comments, as they can compromise security.

Is there any way to do this?

Something similar to Razor's
@* comment *@
but for html...

Answer

You could write the comments in between Razor's comment tags instead of the html comment tags. Those won't be visible on the front-end.

Besides this, you are printing anything you put in an html file as text (server-side scripts like Razor and PHP excluded). There is no way to take comments out of static html unless you minify them on the server through a tool. But since you state they are static html pages, I'm guessing you aren't using any tools at all?

You could use tools like http://www.willpeavy.com/minifier/ , for example.

The security risks of leaving comments in shouldn't be all that bad. You shouldn't be putting valuable information in HTML comments in the first place. They are nowadays mostly used for showing where an element starts and/or ends for when other programmers take over.

Your javascript is visible on the website as well. Let's say you work with ajax calls and a database. This would create much more risk than some HTML comments. Obviously, you just have to make sure you don't share important information that would cause security issues in client-side comments.

If it is an automated system serving the html and you can remove the comments before giving it out, you could use a function like this:

You could use the Html Agility Pack .NET library. Here is an article that explains how to use it on SO: How to use HTML Agility pack

This is the C# code to remove comments:

HtmlDocument doc = new HtmlDocument();
doc.Load("yourFile.htm");

// get all comment nodes using XPATH
foreach (HtmlNode comment in doc.DocumentNode.SelectNodes("//comment()"))
{
    comment.ParentNode.RemoveChild(comment);
}
doc.Save(Console.Out); // displays doc w/o comments on console

Source: Removing HTML Comments (You can find lots more options here)

It'll be a simple matter of triggering such a function before saving the html to a static file, or editing the existing file to filter out the comments.

Comments