diff --git a/test/unit/environment_test.rb b/test/unit/environment_test.rb
index 14eb404..00d2eae 100644
--- a/test/unit/environment_test.rb
+++ b/test/unit/environment_test.rb
@@ -879,4 +879,12 @@ class EnvironmentTest < Test::Unit::TestCase
     assert_no_match /[<>]/, environment.message_for_disabled_enterprise
   end
 
+  should 'not sanitize html comments' do
+    environment = Environment.new
+    environment.message_for_disabled_enterprise = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    environment.valid?
+
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, environment.message_for_disabled_enterprise
+  end
+
 end
diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb
index 43c13df..c9b8b8b 100644
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -250,4 +250,14 @@ class EventTest < ActiveSupport::TestCase
     assert_no_match /[<>]/, event.address
   end
 
+  should 'not sanitize html comments' do
+    event = Event.new
+    event.description = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    event.address = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    event.valid?
+
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, event.description
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, event.address
+  end
+
 end
diff --git a/test/unit/folder_test.rb b/test/unit/folder_test.rb
index 146db28..887cf51 100644
--- a/test/unit/folder_test.rb
+++ b/test/unit/folder_test.rb
@@ -140,6 +140,14 @@ class FolderTest < ActiveSupport::TestCase
     assert_equal "<h1> Body </h1>", folder.body
   end
 
+  should 'not sanitize html comments' do
+    folder = Folder.new
+    folder.body = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    folder.valid?
+
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, folder.body
+  end
+
   should 'escape malformed html tags' do
     folder = Folder.new
     folder.body = "<h1<< Description >>/h1>"
diff --git a/test/unit/profile_test.rb b/test/unit/profile_test.rb
index 1f183ac..30898f2 100644
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -1553,6 +1553,16 @@ class ProfileTest < Test::Unit::TestCase
     assert_no_match /[<>]/, profile.custom_footer
   end
 
+  should 'not sanitize html comments' do
+    profile = Profile.new
+    profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    profile.custom_footer = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    profile.valid?
+
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, profile.custom_header
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, profile.custom_footer
+  end
+
   private
 
   def assert_invalid_identifier(id)
diff --git a/test/unit/tiny_mce_article_test.rb b/test/unit/tiny_mce_article_test.rb
index 1996ccf..8b9d1dd 100644
--- a/test/unit/tiny_mce_article_test.rb
+++ b/test/unit/tiny_mce_article_test.rb
@@ -74,4 +74,13 @@ class TinyMceArticleTest < Test::Unit::TestCase
     article = TinyMceArticle.create!(:profile => profile, :name => 'article', :abstract => 'abstract', :body => "<embed flashvars='config={&quot;key&quot;:&quot;\#$b6eb72a0f2f1e29f3d4&quot;}'> </embed>")
     assert_equal "<embed flashvars=\"config={&quot;key&quot;:&quot;\#$b6eb72a0f2f1e29f3d4&quot;}\"> </embed>", article.body
   end
+
+  should 'not sanitize html comments' do
+    article = TinyMceArticle.new
+    article.body = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    article.valid?
+
+    assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, article.body
+  end
+
 end
diff --git a/vendor/plugins/xss_terminate/lib/xss_terminate.rb b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
index a9c0d6e..d0da8c6 100644
--- a/vendor/plugins/xss_terminate/lib/xss_terminate.rb
+++ b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -53,7 +53,7 @@ module XssTerminate
           if with == :full
             self[field] = CGI.escapeHTML(self[field])
           elsif with == :white_list
-            self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_tag?(self[field])
+            self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_code?(self[field])
           end
 
         else
@@ -62,7 +62,7 @@ module XssTerminate
           if with == :full
             self.send("#{field}=", CGI.escapeHTML(self.send("#{field}")))
           elsif with == :white_list
-            self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_tag?(self.send("#{field}"))
+            self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_code?(self.send("#{field}"))
           end
 
         end
@@ -103,14 +103,29 @@ module XssTerminate
       end
     end
 
-    def wellformed_html_tag?(field)
+    def wellformed_html_code?(field)
       return true if !field
-
       counter = 0
-      field.split(//).each do |letter|
-        counter += 1 if letter == '<'
-        counter -= 1 if letter == '>'
-        if counter < 0 ||  1 < counter
+      in_comment = false
+      field=field.split(//)
+      for i in 0..field.length-1
+        if !in_comment
+          if field[i] == '<'
+            if field[i+1..i+3] == ["!","-","-"]
+              in_comment = true
+            else
+              counter += 1
+            end
+          elsif field[i] == '>'
+            counter -= 1
+          end
+        else
+          if field[i-2..i] == ["-","-",">"]
+            in_comment = false
+          end
+        end
+
+        if counter < 0 || 1 < counter
           return false
         end
       end
--
libgit2 0.21.2