Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:

Every other language has its own native comment format, thus there is no justification for using HTML-style comments in anything other than a pure HTML or XML file.

Ask Yourself Whether

Recommended Secure Coding Practices

It is recommended to remove the comment or change its style so that it is not output to the client.

Sensitive Code Example

  <%
      out.write("<!-- ${username} -->");  // Sensitive
  %>
      <!-- <% out.write(userId) %> -->  // Sensitive
      <!-- #{userPhone} -->  // Sensitive
      <!-- ${userAddress} --> // Sensitive

      <!-- Replace 'world' with name --> // Sensitive
      <h2>Hello world!</h2>

Compliant Solution

      <%-- Replace 'world' with name --%>  // Compliant
      <h2>Hello world!</h2>

See