From d5acc8a9e75b11936ce23764ddd98158db86f4c6 Mon Sep 17 00:00:00 2001
From: Joscha Rohmann <joscha@kanaye.net>
Date: Mon, 3 Oct 2016 14:16:18 +0200
Subject: [PATCH] Added escaping in VirtualComments.

---
 src/query/VirtualComment.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/query/VirtualComment.js b/src/query/VirtualComment.js
index 71602a6..fd20b01 100644
--- a/src/query/VirtualComment.js
+++ b/src/query/VirtualComment.js
@@ -2,8 +2,9 @@
   '../core',
   '../var/trimRegExp',
   './var/dataIdAttr',
-  './VirtualElement'
-], function (blocks, trimRegExp, dataIdAttr, VirtualElement) {
+  './VirtualElement',
+  '../modules/Escape'
+], function (blocks, trimRegExp, dataIdAttr, VirtualElement, Escape) {
   function VirtualComment(commentText) {
     if (!VirtualComment.prototype.isPrototypeOf(this)) {
       return new VirtualComment(commentText);
@@ -27,7 +28,7 @@
       if (dataId) {
         html += dataId + ':';
       }
-      html += this._commentText.replace(trimRegExp, '') + ' -->';
+      html += Escape.forHTML(this._commentText.replace(trimRegExp, '')) + ' -->';
 
       return html;
     },