Commented vulnerability is sanitized without being notified in HtmlChangeListener

[GalitTugi]

The following string: <!--><img src=x onerror=alert(1)>-->

is being cleaned up by the sanitizer, the comment is just being removed, but this does not go through the htmlChangeListener object. Eventually, a malicious code can enter to our system though comments because we check for vulnerabilities though the changeListener, we don't want the sanitized text.

[mikesamuel]

This project does not guarantee that if there are no notifications that the input is safe.

It only guarantees that the output is safe.

This gets removed because, according to the sanitizer's interpretation, that whole input is one comment.

[saaspeter]

@mikesamuel , I also encounter a bug which I used the htmlChangeListener to capture the error, if no any event in htmlChangeListener, I think there is no error, and use the original string, because this tool will change the input string format. the input string like this:
<body><p><!><script>alert(1)</script><h1>Test</h1></p></body> , and the final filter string is: <body><p></p>alert(1)<h1>Test</h1></body> , also why alert(1) had been preserved ? thank you