Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:
Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.
It is recommended to remove the comment or change its style so that it is not output to the client.
<%
out.write("<!-- ${username} -->"); // Sensitive
%>
<!-- <% out.write(userId) %> --> // Sensitive
<!-- #{userPhone} --> // Sensitive
<!-- ${userAddress} --> // Sensitive
<!-- Replace 'world' with name --> // Sensitive
<h2>Hello world!</h2>
<%-- Replace 'world' with name --%> // Compliant
<h2>Hello world!</h2>