Tales from the Evil Empire

Bertrand Le Roy's blog

News


Bertrand Le Roy


Add to Technorati Favorites Tales from the Evil Empire - Blogged

Blogs I read

My other stuff

Archives

Ban HTML comments from your pages and views

Too many people don’t realize that there are other options than <!-- --> comments to annotate HTML. These comments are harmful because they are sent to the client and thus make your page heavier than it needs to be.

Replacing client comments with server comments.When doing ASP.NET, a simple drop-in replacement is server comments, which are delimited by <%-- --%> instead of <!-- -->. Those server comments are visible in your source code, but will never be rendered to the client.

Here’s a simple way to sanitize a web site. From Visual Studio, hit CTRL+H to bring the search and replace dialog.

Choose “Replace in Files” from the second menu on top of the dialog. Open the find options, check “use” and make sure “Regular expressions” are selected. Use “*.aspx;*.ascx;” as the file types to examine. Choose “Entire Solution” under “Look in”.

Here’s the expression to search for comments:

\<!--{[^-]*}--\>

And here’s the replacement string:

<%--\1--%>

I usually use the “Find Next” and “Replace” buttons rather than the more brutal “Replace All” in order to not apply the fix blindingly. Once this is done, I do a second manual pass of finds with the same expression to make sure I didn’t miss anything.

Posted: Apr 02 2010, 02:39 PM by Bertrand Le Roy | with 30 comment(s)
Filed under: , ,

Comments

paul.vencill said:

Nice tip, Bertrand.  I knew about the serverside comments, but I usually forget about the regex-based search and replace capability in VS. Thanks!

# April 2, 2010 7:26 PM

Phil said:

This is a nice post. I knew that HTML comments are sent to the client but I never thought much about the effect of HTML comments on page-size until now. Yeah, HTML comments should be considered bad practice unless you specially need it like for proof-of-concept.

# April 2, 2010 8:56 PM

David Taylor said:

Funny Bertrand that I have been using ASP.NET for almost 10 years (since July 2000 preview) and completely missed this feature.

You are more of a hero than you know by posting this.

One of my biggest frustrations is when I insert a comment or just temporarily comment something out using the <!-- --> syntax and get this type of message:

Literal content ('<!-- test -->') is not allowed within a 'System.Web.UI.WebControls.DataGridColumnCollection'.

However the <%-- test --%> syntax works in these situations!

Thank you so much!

David

# April 2, 2010 9:17 PM

Richard Spiller said:

Thanks. Great tip. I actually had no idea there was such a thing as server comments. This is sort of a peripheral comment but maybe it will save some mouse clicks. CTRL+SHIFT+H gets you straight to Replace In Files. The same pattern works with CTRL+F/CTRL+SHIFT+F for Find/Find In Files. Hope this helps.

# April 2, 2010 9:44 PM

Dave Ward said:

I've actually had a post like this one sitting in my drafts for awhile; glad to see someone posted it.

The reason I held off is that I was unsure how much (if any) performance impact the ASP.NET comment tag has at runtime.  I wanted to be sure I wasn't suggesting to reduce the payload size at the expense of equal or greater penalty in HTML rendering time.

Have you tested that, or know if it's significant?

# April 3, 2010 1:24 AM

Bertrand Le Roy said:

@Dave: I haven't tested it but I'm pretty sure you only pay an extremely small price at compile time. All the parser has to do is skip those guys. And the parser is going to run on your page anyways. So...

# April 3, 2010 1:41 AM

barney ruble said:

I had no idea. Thanks for the tip

# April 3, 2010 1:54 AM

Mehmet Latif Uzunel said:

Thank you for your tip. I'll use server comments more often when I need to comment anything.

# April 3, 2010 2:40 AM

atagaew said:

Thank you for your tip.

In my opinion, during development process you should never leave commented tags or code whichever important they might to be.

Its ok, if you commenting your code with some nice explanation.

But if you want to save something for the future and commenting it out - its a wrong way.

Much better to store everything in the source control system. This will let you always return to the working version and make your code cleaner

# April 3, 2010 5:17 AM

outcoldman said:

Thanks... I didn't know it... Very usefull.

# April 3, 2010 1:23 PM

Bertrand Le Roy said:

@atagaew: I'd actually encourage server comments: they're harmless. Plus, many people don't know to look in source control.

# April 4, 2010 12:52 AM

fmorris0 said:

It sure would be nice if the built-in chord CTRL+K/CTRL+C that I use after highlighting a set of lines I want to comment out would produce the type of comments you recommend instead of the ones it does now.

# April 4, 2010 9:16 PM

Bertrand Le Roy said:

@fmorris0: errr, it does: I just tried it in VS 2008, and the code I selected got surrounded by <%-- --%>...

# April 4, 2010 11:35 PM

Henrik Nystrom said:

Just remember to avoid replacing any IE conditional comments that you might be using!

# April 5, 2010 4:50 PM

Bertrand Le Roy said:

@Henrick: yes, one more reason to run the replace occurrence by occurrence. I guess you could have a more elaborate regex that handles it...

# April 5, 2010 4:55 PM

Andrei Rinea said:

Not only do HTML comments make your HTML fatter but they can also leak sensitive business information to possible hackers.

# April 6, 2010 8:51 AM

Ryan Heath said:

Or use something this: omari-o.blogspot.com/.../aspnet-white-space-cleaning-with-no.html

While removing unneeded whitespace you could perhaps remove unneeded comments as well ...

I have not tried it, but its on my 'todo-research-list'.

// Ryan

# April 7, 2010 11:40 AM

nmarun said:

Bertrand, simply brilliant. Tried and did see the comment not getting to the end user.

Arun

# April 9, 2010 2:21 AM

Stephen said:

This is a great post.

It got me thinking about all those comments in css files.

Any suggestions on how to keep them visible locally, but not when they get downloaded?

# April 9, 2010 10:39 AM

RichardD said:

Nice tip, but the pattern's not quite right. Try it with this comment:

<!--

My super-secret password - don't let anyone see this:

12345

-->

# April 9, 2010 12:36 PM

Bertrand Le Roy said:

@Stephen: you can always serve your CSS from an aspx file, the browser won't care, but you'll lose all IntelliSense and stylesheet smarts from VS if you do that so I would recommend against it.

What I would recommend is to use a minifier such as the Ajax Minifier (aspnet.codeplex.com/.../40584) as a build task to create comment-less and minified versions of your script and CSS files.

@RichardD: Easy: "". This is not a security feature. You'd be crazy to put super-secret anything in a comment or source code. Super-secret stuff belongs in an encrypted blob.

# April 9, 2010 1:54 PM

RichardD said:

I wasn't suggesting that you should put secrets in a comment; I was just pointing out that any comment containing the "-" character would be skipped by your regex pattern.

# April 9, 2010 2:18 PM

Bertrand Le Roy said:

@RichardD: ah, yes, sorry I misunderstood. Yes, that expression is simplistic and fails on several occasions, but it worked fine for me: I do a search on <!-- after doing this to double check for stuff that it missed.

# April 9, 2010 3:10 PM

ancalagon said:

Very Cool. Thanks for Posting

# April 9, 2010 4:38 PM

Faheem Ahmad said:

Excellent post. I do not know about it. Great work done. Thanks dude.

# April 13, 2010 2:18 AM

diadem_2k said:

i never knew this fact...

thanks for telling us the core concept of HTML rendering.

great work...

# April 13, 2010 9:17 AM

Laurence said:

I like clean html and I don't want to see developer's comments. However I fail to see the problem with html file size. You're are talking about perhaps 1,2 Kb of comments per html page. That's irrelevant.

# September 3, 2010 8:02 AM

Bertrand Le Roy said:

@Laurence: if that's irrelevant to you, good for you! Some people care.

# September 3, 2010 11:48 AM

Denzel Mayhem said:

Thanks for the tip on server side comments. Personally I'd like to have seen .Net handle the old HTML comments better but I appreciate it's to do with how the XML is parsed. Just seems odd how a lot of  standards suddenly went out of the window when .Net became flavour of the month.

# September 20, 2010 5:33 AM

Bertrand Le Roy said:

@Denzel: what do you mean?

# September 20, 2010 3:52 PM