From 0fa3f022e2d012a2619da631173f49ac452613da Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Mon, 10 Aug 2015 15:54:30 +0800
Subject: [PATCH] update comments

---
 src/xss-filters.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/xss-filters.js b/src/xss-filters.js
index 3ed50b8..0910e9b 100644
--- a/src/xss-filters.js
+++ b/src/xss-filters.js
@@ -20,12 +20,14 @@ exports._getPrivFilters = function () {
         SPECIAL_HTML_CHARS = /[&<>"'`]/g, 
         SPECIAL_COMMENT_CHARS = /(?:\x00|^-*!?>|--!?>|--?!?$|\]>|\]$)/g;
 
-    // CSS sensitive chars: ()"'/,!*@{}:;
-    // By CSS: (Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast);|(quot|QUOT)
-    // By URI_PROTOCOL: (Tab|NewLine);
+    // Only a limited set of named references require decoding:
+    //  for CSS:                                (Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast);|(quot|QUOT);?
+    //  for URI:                                (Tab|NewLine);  colon; is decoded by URI_PROTOCOL_COLON
+    //  for generic purpose of html decoding:   (nbsp|lt|LT|gt|GT|amp|AMP|quot|QUOT);?
     var SENSITIVE_HTML_ENTITIES = /&(?:#([xX][0-9A-Fa-f]+|\d+);?|(Tab|NewLine|colon|semi|lpar|rpar|apos|sol|comma|excl|ast|midast|ensp|emsp|thinsp);|(nbsp|amp|AMP|lt|LT|gt|GT|quot|QUOT);?)/g,
         SENSITIVE_NAMED_REF_MAP = {Tab: '\t', NewLine: '\n', colon: ':', semi: ';', lpar: '(', rpar: ')', apos: '\'', sol: '/', comma: ',', excl: '!', ast: '*', midast: '*', ensp: '\u2002', emsp: '\u2003', thinsp: '\u2009', nbsp: '\xA0', amp: '&', AMP: '&', lt: '<', LT: '<', gt: '>', GT: '>', quot: '"', QUOT: '"'};
 
+    // CSS sensitive chars: ()"'/,!*@{}:;
     // var CSS_VALID_VALUE = 
     //     /^(?:
     //     (?!-*expression)#?[-\w]+