From 635dcd2b6ceda332eeb6e1eaaa651de3275f4a00 Mon Sep 17 00:00:00 2001
From: Karl Kemister-Sheppard <karlkemistersheppard@gmail.com>
Date: Fri, 4 Jul 2025 14:16:43 +1000
Subject: [PATCH 1/3] DOC-3147: New allow_html_in_comments option to allow
 HTML-like content inside comment data.

---
 modules/ROOT/pages/8.0-release-notes.adoc     |  9 ++--
 modules/ROOT/pages/content-filtering.adoc     |  2 +
 modules/ROOT/pages/security.adoc              |  2 +
 .../configuration/allow_html_in_comments.adoc | 48 +++++++++++++++++++
 4 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100644 modules/ROOT/partials/configuration/allow_html_in_comments.adoc

diff --git a/modules/ROOT/pages/8.0-release-notes.adoc b/modules/ROOT/pages/8.0-release-notes.adoc
index 7c62f25b54..e9a84f52e1 100644
--- a/modules/ROOT/pages/8.0-release-notes.adoc
+++ b/modules/ROOT/pages/8.0-release-notes.adoc
@@ -1,4 +1,3 @@
-
 = {productname} {release-version}
 :release-version: 8.0.0
 :navtitle: {productname} {release-version}
@@ -110,10 +109,12 @@ For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-a
 
 {productname} {release-version} also includes the following addition<s>:
 
-// === <TINY-vwxyz 1 changelog entry>
-// #TINY-vwxyz1
+=== New `allow_html_in_comments` option to allow HTML-like content inside comment data
+// #TINY-12220
 
-// CCFR here.
+Previously, comments containing HTML-like content were removed from the editor's content by default for security reasons. This was done using DOMPurify's `SAFE_FOR_XML` option, which ensures that any HTML-like content in comments is stripped out.
+
+{productname} introduces a new configuration option, xref:content-filtering.adoc#allow_html_in_comments[allow_html_in_comments], to give users control over whether HTML-like content in comments should be retained or removed. By default, this content is removed for security, but setting the option to `true` allows HTML-like content in comments to be preserved when needed.
 
 
 [[changes]]
diff --git a/modules/ROOT/pages/content-filtering.adoc b/modules/ROOT/pages/content-filtering.adoc
index 2a5896970a..e65bc480a3 100644
--- a/modules/ROOT/pages/content-filtering.adoc
+++ b/modules/ROOT/pages/content-filtering.adoc
@@ -5,6 +5,8 @@
 
 include::partial$configuration/allow_conditional_comments.adoc[]
 
+include::partial$configuration/allow_html_in_comments.adoc[]
+
 include::partial$configuration/allow_html_in_named_anchor.adoc[]
 
 include::partial$configuration/allow_mathml_annotation_encodings.adoc[]
diff --git a/modules/ROOT/pages/security.adoc b/modules/ROOT/pages/security.adoc
index 9a60891923..0bfe90b472 100644
--- a/modules/ROOT/pages/security.adoc
+++ b/modules/ROOT/pages/security.adoc
@@ -113,6 +113,8 @@ include::partial$configuration/sandbox_iframes.adoc[]
 
 include::partial$configuration/convert_unsafe_embeds.adoc[]
 
+include::partial$configuration/allow_html_in_comments.adoc[]
+
 [[insecure-transmission-and-storage-of-data]]
 === Insecure Transmission and Storage of data
 
diff --git a/modules/ROOT/partials/configuration/allow_html_in_comments.adoc b/modules/ROOT/partials/configuration/allow_html_in_comments.adoc
new file mode 100644
index 0000000000..626c96a2d9
--- /dev/null
+++ b/modules/ROOT/partials/configuration/allow_html_in_comments.adoc
@@ -0,0 +1,48 @@
+[[allow_html_in_comments]]
+== `allow_html_in_comments`
+
+The `allow_html_in_comments` option allows HTML-like content to be retained in comments within the editor content. By default, {productname} removes comments containing HTML-like content as a security measure (using DOMPurify's `SAFE_FOR_XML` option).
+
+*Type:* `+Boolean+`
+
+*Default value:* `+false+`
+
+[WARNING]
+Setting this option to `true` may expose your application to XSS vulnerabilities. The DOMPurify maintainers have identified potential security risks when HTML-like content is allowed in comments. Only enable this option if you trust your content sources and understand the security implications.
+
+=== Example: using `allow_html_in_comments`
+
+The following example demonstrates how comments containing HTML are handled by default (removed) and how to configure {productname} to retain them:
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',
+  allow_html_in_comments: true,  // Enable HTML in comments
+});
+----
+
+ifeval::["{docname}" != "security"]
+=== Comment behavior examples
+
+With `allow_html_in_comments: false` (default), the editor's content after initialization will be:
+[source,html]
+----
+<section>
+<h1>Some content</h1>
+<h1>Some additional content</h1>
+</section>
+----
+
+With `allow_html_in_comments: true`, the editor's content after initialization will be:
+[source,html]
+----
+<section>
+<h1>Some content</h1>
+<!--
+  <div>This is my comment content</div>
+-->
+<h1>Some additional content</h1>
+</section>
+----
+endif::[]
\ No newline at end of file

From d19513ec9a8991889a697512f275989e5a4308c6 Mon Sep 17 00:00:00 2001
From: Karl Kemister-Sheppard <karlkemistersheppard@gmail.com>
Date: Mon, 14 Jul 2025 12:58:06 +1000
Subject: [PATCH 2/3] Update
 modules/ROOT/partials/configuration/allow_html_in_comments.adoc

Co-authored-by: michalnieruchalski-tiugo <michal.nieruchalski@tiny.cloud>
---
 modules/ROOT/partials/configuration/allow_html_in_comments.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ROOT/partials/configuration/allow_html_in_comments.adoc b/modules/ROOT/partials/configuration/allow_html_in_comments.adoc
index 626c96a2d9..b052e83dca 100644
--- a/modules/ROOT/partials/configuration/allow_html_in_comments.adoc
+++ b/modules/ROOT/partials/configuration/allow_html_in_comments.adoc
@@ -1,7 +1,7 @@
 [[allow_html_in_comments]]
 == `allow_html_in_comments`
 
-The `allow_html_in_comments` option allows HTML-like content to be retained in comments within the editor content. By default, {productname} removes comments containing HTML-like content as a security measure (using DOMPurify's `SAFE_FOR_XML` option).
+The `allow_html_in_comments` option allows HTML-like content to be retained in comments within the editor content. By default, {productname} removes comments containing HTML-like content as a security measure.
 
 *Type:* `+Boolean+`
 

From 56a64de095bbb8d4f3ae5c4af415405206a15bfe Mon Sep 17 00:00:00 2001
From: Karl Kemister-Sheppard <karlkemistersheppard@gmail.com>
Date: Mon, 14 Jul 2025 12:58:54 +1000
Subject: [PATCH 3/3] Update modules/ROOT/pages/8.0-release-notes.adoc

Co-authored-by: michalnieruchalski-tiugo <michal.nieruchalski@tiny.cloud>
---
 modules/ROOT/pages/8.0-release-notes.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ROOT/pages/8.0-release-notes.adoc b/modules/ROOT/pages/8.0-release-notes.adoc
index e9a84f52e1..26c60c2360 100644
--- a/modules/ROOT/pages/8.0-release-notes.adoc
+++ b/modules/ROOT/pages/8.0-release-notes.adoc
@@ -112,7 +112,7 @@ For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-a
 === New `allow_html_in_comments` option to allow HTML-like content inside comment data
 // #TINY-12220
 
-Previously, comments containing HTML-like content were removed from the editor's content by default for security reasons. This was done using DOMPurify's `SAFE_FOR_XML` option, which ensures that any HTML-like content in comments is stripped out.
+Comments containing HTML-like content are removed from the editor's content by default for security reasons. This is done during the sanitization process, which ensures that any HTML-like content in comments is stripped out.
 
 {productname} introduces a new configuration option, xref:content-filtering.adoc#allow_html_in_comments[allow_html_in_comments], to give users control over whether HTML-like content in comments should be retained or removed. By default, this content is removed for security, but setting the option to `true` allows HTML-like content in comments to be preserved when needed.