Ban HTML comments from your pages and views

Too many people don’t realize that there are other options than <!-- --> comments to annotate HTML. These comments are harmful because they are sent to the client and thus make your page heavier than it needs to be.

Replacing client comments with server comments.When doing ASP.NET, a simple drop-in replacement is server comments, which are delimited by <%-- --%> instead of <!-- -->. Those server comments are visible in your source code, but will never be rendered to the client.

Here’s a simple way to sanitize a web site. From Visual Studio, hit CTRL+H to bring the search and replace dialog.

Choose “Replace in Files” from the second menu on top of the dialog. Open the find options, check “use” and make sure “Regular expressions” are selected. Use “*.aspx;*.ascx;” as the file types to examine. Choose “Entire Solution” under “Look in”.

Here’s the expression to search for comments:

\<!--{[^-]*}--\>

And here’s the replacement string:

<%--\1--%>

I usually use the “Find Next” and “Replace” buttons rather than the more brutal “Replace All” in order to not apply the fix blindingly. Once this is done, I do a second manual pass of finds with the same expression to make sure I didn’t miss anything.

25 Comments

  • Nice tip, Bertrand. I knew about the serverside comments, but I usually forget about the regex-based search and replace capability in VS. Thanks!

  • This is a nice post. I knew that HTML comments are sent to the client but I never thought much about the effect of HTML comments on page-size until now. Yeah, HTML comments should be considered bad practice unless you specially need it like for proof-of-concept.

  • Thanks. Great tip. I actually had no idea there was such a thing as server comments. This is sort of a peripheral comment but maybe it will save some mouse clicks. CTRL+SHIFT+H gets you straight to Replace In Files. The same pattern works with CTRL+F/CTRL+SHIFT+F for Find/Find In Files. Hope this helps.

  • @Dave: I haven't tested it but I'm pretty sure you only pay an extremely small price at compile time. All the parser has to do is skip those guys. And the parser is going to run on your page anyways. So...

  • I had no idea. Thanks for the tip

  • Thank you for your tip. I'll use server comments more often when I need to comment anything.

  • Thank you for your tip.

    In my opinion, during development process you should never leave commented tags or code whichever important they might to be.

    Its ok, if you commenting your code with some nice explanation.
    But if you want to save something for the future and commenting it out - its a wrong way.
    Much better to store everything in the source control system. This will let you always return to the working version and make your code cleaner

  • Thanks... I didn't know it... Very usefull.

  • @atagaew: I'd actually encourage server comments: they're harmless. Plus, many people don't know to look in source control.

  • It sure would be nice if the built-in chord CTRL+K/CTRL+C that I use after highlighting a set of lines I want to comment out would produce the type of comments you recommend instead of the ones it does now.

  • @fmorris0: errr, it does: I just tried it in VS 2008, and the code I selected got surrounded by ...

  • @Henrick: yes, one more reason to run the replace occurrence by occurrence. I guess you could have a more elaborate regex that handles it...

  • Not only do HTML comments make your HTML fatter but they can also leak sensitive business information to possible hackers.

  • Bertrand, simply brilliant. Tried and did see the comment not getting to the end user.

    Arun

  • Nice tip, but the pattern's not quite right. Try it with this comment:

  • @Stephen: you can always serve your CSS from an aspx file, the browser won't care, but you'll lose all IntelliSense and stylesheet smarts from VS if you do that so I would recommend against it.
    What I would recommend is to use a minifier such as the Ajax Minifier (http://aspnet.codeplex.com/releases/view/40584) as a build task to create comment-less and minified versions of your script and CSS files.

    @RichardD: Easy: "". This is not a security feature. You'd be crazy to put super-secret anything in a comment or source code. Super-secret stuff belongs in an encrypted blob.

  • I wasn't suggesting that you should put secrets in a comment; I was just pointing out that any comment containing the "-" character would be skipped by your regex pattern.

  • @RichardD: ah, yes, sorry I misunderstood. Yes, that expression is simplistic and fails on several occasions, but it worked fine for me: I do a search on <!-- after doing this to double check for stuff that it missed.

  • Very Cool. Thanks for Posting

  • Excellent post. I do not know about it. Great work done. Thanks dude.

  • i never knew this fact...
    thanks for telling us the core concept of HTML rendering.

    great work...

  • I like clean html and I don't want to see developer's comments. However I fail to see the problem with html file size. You're are talking about perhaps 1,2 Kb of comments per html page. That's irrelevant.

  • @Laurence: if that's irrelevant to you, good for you! Some people care.

  • Thanks for the tip on server side comments. Personally I'd like to have seen .Net handle the old HTML comments better but I appreciate it's to do with how the XML is parsed. Just seems odd how a lot of standards suddenly went out of the window when .Net became flavour of the month.

  • @Denzel: what do you mean?

Comments have been disabled for this content.