Is it possible for 3rd party js scripts to be injected INSIDE of an already existing comment on the document?

Question

I'm discussing an error my coworker received on our staging environment with a few other developers. Basically what they have deduced is this:

We have a <script> at the top of the <body> that is commented out:

<!-- <script src="some-file.js"></script>-->

And a third-party script is being injected into the document. This script looks like this:

<!-- Begin Vendor Code -->
<script src=".."></script>
<script src=".."></script>
<!-- End Vendor Code -->

What it looks like has happened is that the vendor code has been injected after the opening comment of the <script> tag that is already commented out:

<!--<!-- Begin Vendor Code -->
<script src=".."></script>
<script src=".."></script>
<!-- End Vendor Code --><script src="some-file.js"></script>-->

This leaves a stray --> at the end that is rendered out as live text.

I've never seen this before. Didn't think it was possible? My coworker says otherwise. What's going on here?

Any help would be greatly appreciated. Thanks!

Edit: To be clear, I'm not looking for a solution. The obvious solution is to remove the commented out <script> tag. But I want to know if this is a real thing. My argument is human error .

Answer 1

XML and DOM can access comments! Not sure if write is possible but read is.

See https://developer.mozilla.org/de/docs/Web/API/Node/nodeType you have to loop trough the Dom and check what type of node you find. "8" is a comment!

Example code to list all comments on a page: http://code.stephenmorley.org/javascript/dom-nodetype-constants/

Another answer that might help: https://stackoverflow.com/a/16151902/22470