Bad HTML filtering regexp

do you know why CodeQL suggest this? what is wrong in the code?

values = vals.replace(/(^\s*<!--)|(-->\s*$)|\s+/g, '').split(',');

This regular expression only parses --> and not --!> as a HTML comment end tag. CodeQL

Not saying it should look for --!>, however if you need an explanation of your regular expression here it is.

vals.replace(/(^\s*<!--)|(-->\s*$)|\s+/g, '').split(',');

(^\s*<!--) looks for the lines starting with 0 or more whitespace characters and your <!--.

(-->\s*$) looks for --> followed by 0 or more white space characters.

So you need to add: (--!>\s*$) to look for the --!> characters.

vals.replace(/(^\s*<!--)|(-->\s*$)|(--!>\s*$)|\s+/g, '').split(',');

Though I don't think I've ever seen --!> so maybe double check you really do need it. https://www.w3schools.com/tags/tag_comment.asp

This is a good starting point for learning regular expressions: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions