fix: Strip HTML comments from security advisory HTML before sanitization

[stevejalim]

Some older advisories (e.g. mfsa2009-33) contain HTML comments with placeholder content commented out, generally CVE references.

However, the the justhtml sanitizer escapes these into visible <!-- … --> text on the rendered page, making them visible.

The fix is a new strip_html_comments() function that removes comments before sanitization runs, preventing them from being escaped into visible page content.

If this changeset needs to go into the FXC codebase, please add the WMO and FXC label.

Issue / Bugzilla link

https://mozilla-hub.atlassian.net/browse/WT-668

Testing

• make preflight to get current data
• view http://localhost:8000/en-US/security/advisories/mfsa2009-33/ and note the appearance of comment-like text - this is because the < and > have been escaped, so don't mark the start of an ignorable comment.
• on this branch, run python manage.py update_security_advisories to re-import the data
• Confirm the pseudo-comment is no longer in the page

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.50%. Comparing base (e4c4905) to head (8638be2).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #17037   +/-   ##
=======================================
  Coverage   81.49%   81.50%           
=======================================
  Files         171      171           
  Lines        9203     9206    +3     
=======================================
+ Hits         7500     7503    +3     
  Misses       1703     1703           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR fixes a rendering issue in older security advisories where HTML comments (<!-- ... -->) were being escaped by the justhtml sanitizer and shown as visible text on the page. It introduces a preprocessing step to remove HTML comments before sanitization, and adds targeted tests to prevent regressions.

Changes:

• Add strip_html_comments() helper to remove HTML comments from advisory HTML prior to sanitization.
• Update sanitize_advisory_html() to call strip_html_comments() before running the allowlist sanitizer.
• Add unit tests covering comment stripping (single-line, multiline, multiple, empty) and an integration-style sanitization test for comments.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
bedrock/security/management/commands/update_security_advisories.py	Adds HTML-comment stripping and wires it into advisory HTML sanitization.
bedrock/security/tests/test_commands.py	Adds coverage for comment stripping and ensures sanitized output doesn’t leak escaped comment text.

[wen-2018]

r+