vanwobe

This must be linked to: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md#escaping-of-sensitive-constructs In your example the comments could indeed be removed still fulfilling the escaping of sensitive constructs rule.