fix(parser): parse HTML-like comments in unambiguous mode#18442
Merged
graphite-app[bot] merged 1 commit intomainfrom Jan 23, 2026
Merged
fix(parser): parse HTML-like comments in unambiguous mode#18442graphite-app[bot] merged 1 commit intomainfrom
graphite-app[bot] merged 1 commit intomainfrom
Conversation
github-actions
bot
added
A-linter
Boshen
changed the title
CodSpeed Performance ReportMerging this PR will not alter performanceComparing Summary
Footnotes
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements support for HTML-like comments (<!-- and -->) according to ECMAScript Annex B.1.1, addressing issue #18392. The implementation correctly handles three different module modes: Script/CommonJS (where HTML comments are valid), Unambiguous (.js files where HTML comments are accepted but errors are deferred until module type is determined), and Module (.mjs files where HTML comments emit an error). This enables security tools to properly detect HTML comment injection vectors.
Changes:
- Added lexer support for recognizing
<!--and-->as HTML comments with mode-specific behavior - Implemented deferred error handling for unambiguous mode (.js files) that emits errors only when ESM syntax is detected
- Added comprehensive tests and improved error messages for HTML comments in modules
Reviewed changes
Copilot reviewed 7 out of 12 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| crates/oxc_parser/src/lexer/punctuation.rs | Implements HTML comment recognition in read_left_angle() and read_minus() with mode-specific logic |
| crates/oxc_parser/src/lexer/mod.rs | Adds deferred_module_errors vector to track HTML comment errors in unambiguous mode |
| crates/oxc_parser/src/lib.rs | Integrates deferred error handling to emit or discard HTML comment errors based on resolved module type |
| crates/oxc_parser/src/diagnostics.rs | Adds new diagnostic message "HTML comments are not allowed in modules" |
| tasks/coverage/misc/fail/html-comment-in-module.mjs | Test case for HTML comments in explicit module files (.mjs) |
| tasks/coverage/misc/fail/html-comment-with-esm.js | Test case for HTML comments in .js files that contain ESM syntax |
| crates/oxc_codegen/tests/integration/tester.rs | Adds helper function for testing with unambiguous source type |
| crates/oxc_codegen/tests/integration/js.rs | Comprehensive integration tests covering various HTML comment scenarios |
| tasks/coverage/snapshots/*.snap | Updated snapshots showing improved error messages and proper HTML comment handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Boshen
force-pushed
the
feat/html-comments
branch
from
f7c3454 to
4c36009
Compare
Member
Author
Merge activity
|
## Summary Closes #18392 Support HTML-like comments (`<!--` and `-->`) per ECMAScript Annex B.1.1: - **Script/CommonJS mode**: HTML comments recognized as single-line comments - **Unambiguous mode (.js)**: HTML comments recognized; error deferred until ESM syntax detected - **Module mode (.mjs)**: HTML comments at start of line emit "HTML comments are not allowed in modules" error; `<!--` in middle of expression (e.g. `foo <!--bar`) parses as operators This enables proper detection of HTML comment injection vectors in security tools like [AikidoSec/zen-internals](AikidoSec/zen-internals#125). 🤖 Generated with [Claude Code](https://claude.ai/code)
graphite-app
bot
force-pushed
the
feat/html-comments
branch
from
4c36009 to
aed3669
Compare
This was referenced Jan 26, 2026
overlookmotel
pushed a commit
that referenced
this pull request
Jan 26, 2026
### 💥 BREAKING CHANGES - 22dec6a semantic: [**BREAKING**] Remove `Scoping::scope_build_child_ids` and all related APIs (#18362) (Dunqing) - 30a4899 oxc: [**BREAKING**] Remove `CompilerInterface::semantic_child_scope_ids` (#18361) (Dunqing) - 777fc40 ast: [**BREAKING**] Add `Ident` type (#18354) (Boshen) - af0ca46 span: [**BREAKING**] Use `ModuleKind::CommonJS` for `SourceType::cjs()` (#18276) (sapphi-red) ### 🚀 Features - 0a02026 semantic: Add TS1499 code to diagnostic (#18557) (camc314) - 8b4618f parser: Add TS1500 code to diagnostic (#18547) (camc314) - 866b6b3 parser: Add TS1048 code to diagnostic (#18546) (camc314) - 1117c44 parser: Add TS1054 code to diagnostic (#18541) (camc314) - e4fcdde semantic: Add TS1053 code to diagnostic (#18539) (camc314) - bcbf396 semantic: Add TS1052 code to diagnostic (#18538) (camc314) - 8155edf semantic: Add TS1049 code to diagnostic (#18535) (camc314) - 51d3b3f parser: Add TS1502 code to diagnostic (#18534) (camc314) - 00854e8 semantic: Add TS2337 error code to super call diagnostic (#18531) (camc314) - 993fd2b parser: Parse unambiguous await with better error messages (#18480) (Boshen) - 8db0e78 linter/plugins: Handle BOMs (#18376) (overlookmotel) - 6ac09e2 linter/plugins: Support source text not being at start of buffer (#18375) (overlookmotel) - 2ef5647 ast: Add escape_raw parameter to template_element builders (#18121) (Boshen) ### 🐛 Bug Fixes - 74d0998 semantic: Update error msg for multiple `default` cases in switch stmt (#18526) (camc314) - c205b0d ast: Remove `ThisExpression` from `TSModuleReference` (#18489) (Boshen) - aed3669 parser: Parse HTML-like comments in unambiguous mode (#18442) (Boshen) - c4132fb parser: Validate accessor parameters in interface method signatures (#18391) (Boshen) - b0cd74d semantic: Allow `var` and `function` with same name in static blocks (#18358) (Boshen) - 6037995 semantic: Allow `new.target` in class field initializers (#18349) (Boshen) - 9a15c6a semantic: Do not rely on spans for node comparison in `Function::bind` (#18296) (overlookmotel) ### ⚡ Performance - 6b600c4 semantic: Skip parent lookup for function declarations in `Function::bind` (#18293) (overlookmotel) - c27ad2d semantic: Move check for function declaration out of `is_function_part_of_if_statement` (#18292) (overlookmotel) - 63eb89e semantic: Skip checking redeclarations for function expressions (#18291) (overlookmotel) - 7c12743 semantic: Skip checking unresolved exports in CommonJS files (#18250) (overlookmotel) - 2349031 allocator: Increase initial chunk size from 512B to 16KB (#18234) (Boshen) ### 📚 Documentation - 8ccd853 npm: Update package homepage URLs and add keywords (#18509) (Boshen) - 9b3165f napi/parser: Clarify when to use `parseAsync` vs `parseSync` (#18486) (Boshen) - 1b59f63 napi/parser: Correct typo in README (#18251) (overlookmotel) - 00ff75f mangler: Fix `top_level` option in example (#18233) (overlookmotel) - 2ddc073 semantic: Fix typo in comment (#18238) (overlookmotel) Co-authored-by: Boshen <[email protected]>
overlookmotel
pushed a commit
that referenced
this pull request
Jan 26, 2026
# Oxlint ### 💥 BREAKING CHANGES - 777fc40 ast: [**BREAKING**] Add `Ident` type (#18354) (Boshen) ### 🚀 Features - 34c3ec3 linter/prefer-logical-operator-over-ternary: Implement fixer (#18545) (camc314) - 019e0aa linter/valid-typeof: Add suggestions if type is misspelled (#18543) (camchenry) - 704c8eb linter/use-isnan: Add more specific error message for equality/inequality (#18542) (camchenry) - 1e99ace linter/use-isnan: Support more `indexOf` cases and improve diagnostic messages (#18537) (camchenry) - bffd134 linter/text-encoding-identifier-case: Add `withDash` option (#18533) (camc314) - 993fd2b parser: Parse unambiguous await with better error messages (#18480) (Boshen) - b4b6247 linter/plugins: `RuleTester` support settings (#18445) (overlookmotel) - 15d69dc linter: Implement react/display-name rule (#18426) (camchenry) - 2fbceae linter: Implement rule docs and config support for rules with tuple config options. (#18372) (connorshea) - 8db0e78 linter/plugins: Handle BOMs (#18376) (overlookmotel) - 6ac09e2 linter/plugins: Support source text not being at start of buffer (#18375) (overlookmotel) - fc3c86b linter: Update 125 rules to raise errors when provided with invalid config options. (#18104) (connorshea) - 2cc6ad2 linter/plugins: Add `ecmaFeatures` to `parserOptions` (#18313) (overlookmotel) ### 🐛 Bug Fixes - 2acf568 linter/plugins: Keep `Infinity` in rule default options (#18550) (overlookmotel) - 332d2ef linter/plugins: Add `jsx` property to `parserOptions.ecmaFeatures` (#18549) (overlookmotel) - 7d9bb1b linter: Update `eslint/func-names` to error on invalid rule config options, improve docs. (#18510) (connorshea) - 9c67974 linter: Improve the jsx-a11y/no-noninteractive-tabindex rule to match original rule logic better (#17848) (connorshea) - 75e7163 vscode: Support json5 for oxfmt (#18502) (Sysix) - c205b0d ast: Remove `ThisExpression` from `TSModuleReference` (#18489) (Boshen) - c51339a oxlint/lsp: Respect code action `source.fixAll` as an alias for `source.fixAll.oxc` (#18366) (Sysix) - 3c0e9b9 oxlint/lsp: Skip dangerous fixes/suggestions for "fix all" code action and command (#18364) (Sysix) - c44c093 linter: Fix behavior of unicorn/catch-error-name to match original rule (#18209) (connorshea) - 9c65aff linter/jsx-a11y: Change `no-autofocus` autofix to suggestion (#18155) (Ben Lowery) - 235c820 linter/unicorn: Fix `prefer-array-some` autofix for `.filter().length` pattern (#18153) (Ben Lowery) - a9925dc linter: Mark fixes in `unicorn/no-null` rule as dangerous. (#18436) (connorshea) - cee29b4 linter: Remove confusing scope from `react/only-export-components` rule diagnostics. (#18434) (connorshea) - aed3669 parser: Parse HTML-like comments in unambiguous mode (#18442) (Boshen) - b8a371d linter: Fix the path used in the gitlab format output (#18165) (connorshea) - e046ea6 linter: `vue/no-lifecycle-after-await` skip looking into arrow functions (#18302) (Sysix) - a9bfbcf linter: Compatibility issue with `DiagnosticData` type in ESLint (#18396) (루밀LuMir) - 10ab424 linter: `react/no_array_index_key` continue search for other attributes (#18409) (Lonami) - 9d776d4 linter: Update `import/no-cycle` rule to error on invalid config options. (#18330) (connorshea) - c163231 linter: Update eslint/sort-imports to validate options. (#18378) (connorshea) - 79bbcff linter: Update `eslint/func-style` to error on invalid configuration options. (#18390) (connorshea) - b871235 linter/plugins: Fix identifying "use strict" directives in scope analysis (#18402) (overlookmotel) - 5985141 linter: Update `jest/prefer-lowercase-title` rule to error on invalid config options. (#18332) (connorshea) - faca4b5 linter/plugins: Tokenize `let`, `static` and `yield` as `Keyword`s (#18368) (overlookmotel) - a3914fd linter/plugins: Allow line number passed to `report` to be 1 over line count (#18341) (overlookmotel) - 88e0896 linter: Update `typescript/no-restricted-types` rule to error on invalid config options. (#18329) (connorshea) - 9eec600 linter: Update `react/jsx-fragments` rule to raise an error on invalid configuration options (#18111) (connorshea) - 0fa969d linter: Update `react/no-will-update-set-state` to error on invalid config options (#18112) (connorshea) - 70e7be4 linter: Update `import/no-unassigned-import` to raise an error when passed invalid config options. (#18108) (connorshea) - 496cac7 linter: Update `unicorn/explicit-length-check` to raise an error when passed invalid config options. (#18107) (connorshea) - 080b1ec linter: Update 5 more rules to error on invalid config options. (#18113) (connorshea) - c5d05dd linter: Update 11 rules to raise an error on invalid config options. (#18109) (connorshea) - 9e359d4 linter/plugins: Set all properties on global vars objects (#18317) (overlookmotel) - 39c7f32 linter/plugins: Set `writeable` flag on variables where defined as globals (#18316) (overlookmotel) - a570693 linter/plugins: Fix `CatchClause` scopes (#18312) (overlookmotel) - 8c98e69 linter: `vitest/prefer-describe-function-title`: Check earlier to avoid false positive (#18177) (Jovi De Croock) - 44be0eb linter/plugins: Set scope analyse settings based on source type (#18306) (overlookmotel) - b9a14fd vscode: Update package.json to restrict a few more config options. (#18270) (Connor Shea) - c1260cb vscode: Update version info formatting. (#18274) (connorshea) - 2f68dc6 vscode: Update notification for client restart to specify tool. (#18273) (connorshea) ### ⚡ Performance - dc931ba linter/no-inner-declarations: Skip scope flags lookup in modules (#18249) (overlookmotel) - 07618a7 linter: Turn off `scope_build_child_ids` for SemanticBuilder (#18360) (Dunqing) - 1aac079 linter/exhaustive-deps: Simplify the logic of checking if the identifier it is a dependency of hook (#18350) (Dunqing) - 591d522 linter/block-scoped-var: Avoid `iter_all_scope_child_ids` by walking references/redeclarations scope ancestors (#18335) (Dunqing) - 2eefd6d linter/plugins: Remove branch from token parsing (#18369) (overlookmotel) ### 📚 Documentation - 698c21d linter: Modernize docs for various React rules (#18559) (connorshea) - 314a47c linter: Clarify the `no-find-dom-node` rule with a note that the method was removed in React 19. (#18556) (connorshea) - 5eff704 linter: Update `no-inner-declarations` to fix config option docs (#18511) (connorshea) - dd5d2f6 linter: Improve diagnostic message in `valid_typeof` rule. (#18507) (connorshea) - 8ccd853 npm: Update package homepage URLs and add keywords (#18509) (Boshen) - 4958233 linter: Add missing "What it does" section in prefer-reflect-apply rule. (#18475) (connorshea) - 2fa83a4 linter: Improve the docs for import/unambiguous. (#18474) (connorshea) - 7b1505c linter: Improve docs for `oxc/only-used-in-recursion` rule. (#18473) (connorshea) - ab506d6 linter/plugins: Correct comment (#18456) (overlookmotel) - 4565c73 linter: `react/display-name`: add docs for config options (#18430) (camchenry) - b95a89f linter: Fix docs for the curly rule. (#18374) (connorshea) - f675eb4 linter: Fix the `react/only-export-components` rule docs. (#18319) (connorshea) - 704db95 linter: "no-unused-vars" extend ignored files section for svelte and astro files (#18304) (Sysix) - 3af4a88 linter: Add "Examples" headers to rules missing them (#18266) (connorshea) # Oxfmt ### 💥 BREAKING CHANGES - 777fc40 ast: [**BREAKING**] Add `Ident` type (#18354) (Boshen) ### 🚀 Features - d71c15d oxfmt: Enable tailwind sort inside xxx-in-js (#18417) (leaysgur) - 52b5003 formatter,oxfmt: Support Angular `@Component({ template, styles })` (#18324) (leaysgur) ### 🐛 Bug Fixes - 224140c oxfmt: Canonicalize `..` component in config path (#18570) (leaysgur) - 30b467e formatter: Preserve trailing comments before the semicolon in class methods without a body (#18446) (Dunqing) - c205b0d ast: Remove `ThisExpression` from `TSModuleReference` (#18489) (Boshen) - 164bbd7 formatter: Preserve trailing comments inside ternary alternate branch (#18433) (Dunqing) - 1c50800 formatter: Use HTML entity escaping for JSX attribute strings (#18385) (Boshen) - 4e156d2 formatter: Preserve parentheses for `in` expressions in arrow function block bodies (#18352) (Boshen) - 7e6c15b oxfmt: Increase Tailwind CSS test timeout for Windows CI (#18339) (Boshen) - 29966eb formatter/dead-code-removal: Handle tailwind sorting (#18321) (leaysgur) - 29f41be formatter: Only expand mapped types when newline immediately follows opening brace (#18087) (Boshen) - 2194552 formatter: Relocate leading comments for single-element union/intersection types (#18083) (Boshen) ### ⚡ Performance - 85ab400 formatter: Store `AstNodes` itself instead of `&'a AstNodes` as the `parent` field of `AstNode` (#18428) (Dunqing) - 194d384 formatter: Reduce AstNode size by 8 bytes using following_span_start (#18347) (Dunqing) - b2df8fb oxfmt: Enable tailwind plugin only for relevant parser (#18418) (leaysgur) ### 📚 Documentation - 8ccd853 npm: Update package homepage URLs and add keywords (#18509) (Boshen) Co-authored-by: Boshen <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #18392
Support HTML-like comments (
<!--and-->) per ECMAScript Annex B.1.1:<!--in middle of expression (e.g.foo <!--bar) parses as operatorsThis enables proper detection of HTML comment injection vectors in security tools like AikidoSec/zen-internals.
🤖 Generated with Claude Code