diff -uNr HTML-Scrubber-0.11/lib/HTML/Scrubber.pm HTML-Scrubber-0.11p/lib/HTML/Scrubber.pm --- HTML-Scrubber-0.11/lib/HTML/Scrubber.pm 2013-10-11 17:12:16.000000000 +0300 +++ HTML-Scrubber-0.11p/lib/HTML/Scrubber.pm 2015-12-12 18:03:09.185180687 +0200 @@ -284,7 +284,10 @@ } } elsif ( $e eq 'comment' ) { - $outstr .= $text if $s->{_comment}; + if ( $s->{_comment} ) { + # only copy comments through if they are well formed... + $outstr .= $text if ( $text =~ m|^<!--.*-->$|ms ); + } } elsif ( $e eq 'process' ) { $outstr .= $text if $s->{_process}; diff -uNr HTML-Scrubber-0.11/t/jvn53973084.t HTML-Scrubber-0.11p/t/jvn53973084.t --- HTML-Scrubber-0.11/t/jvn53973084.t 1970-01-01 03:00:00.000000000 +0300 +++ HTML-Scrubber-0.11p/t/jvn53973084.t 2015-12-12 18:04:45.674233805 +0200 @@ -0,0 +1,21 @@ +# Tests related to JVN53973084 + +use strict; +use warnings; +use Test::More; + +use_ok('HTML::Scrubber'); + +my @allow = qw[ + hr +]; + +my $html_1 = q[<hr><a href="javascript:alert(1)"<hr>abc]; +my $html_2 = q[<img src="javascript:alert(1)"]; +foreach my $comment_value ( 0, 1 ) { + my $scrubber = HTML::Scrubber->new( allow => \@allow, comment => $comment_value ); + is( $scrubber->scrub($html_1), '<hr>abc', "correct result (1) - with comment => $comment_value" ); + is( $scrubber->scrub($html_2), '', "correct result (2) - with comment => $comment_value" ); +} + +done_testing;