Vulnerable JavaScript Comments

While checking my balance today on my bank's web portal, I curiously thought about checking out HTML and Javascript code using View Source. I was wondering what standards they following for HTML and Javascript codding. While digging through Javascript code, I was kind of surprise to see whole bunch of code comments provided by development team. What more interesting what that those Javascript code comment will not only tell you bug numbers, who worked on those fixed, what date, but also what was the actual issue and how they resolved it.

Here is one of the interesting example:

<script language="JavaScript1.2">
function alert_keycode(){
/*
Abhilash. 

This script was added bcze on pressing enter key on pwd field used to get Submittted but since the Command Action invoked was diff one that of OK button, it was not producing desired results. The solution was create a temp hidden field and changing Pwd field name to that of Ok button dynamically, assigning tmp-hidden field name/value with original Pwd Field name/value. 

And submit is invoked


*/

frm = document.confirmFrm;
    if(event.keyCode==13)
    {
        blah blah blah
    }   
</script>    

I love how detailed and technical explanation provided by the Abhilash to resolve the issue.

I see these kind of Javascript comments as major vulnerability to the web application especially for a financial institutions. It's like showing up internal guts of the company to the outsider hackers explaining them existing issues and bugs in the system. This probably leads to innocently reveal any vulnerability or security hole in the application. With that, it also increased the payload of the page because of these comments.

So how Abhilash can provide details comments about the his bug fix without revealing any technical or business explanation in the web application? I think best work around is to use server side comment instead. These comments are for developers and not for users.

It could be something like this:

<script language="JavaScript1.2">
function alert_keycode(){
<%
/*
Abhilash. 

This script was added bcze on pressing enter key on pwd field used to get Submittted but since the Command Action invoked was diff one that of OK button, it was not producing desired results. The solution was create a temp hidden field and changing Pwd field name to that of Ok button dynamically, assigning tmp-hidden field name/value with original Pwd Field name/value. 

And submit is invoked


*/
%>
frm = document.confirmFrm;
    if(event.keyCode==13)
    {
        blah blah blah
    }
</script>    

In above modified snippet, I am using server side comments instead to document bug details and fixes, which will not rendered to the browser at all. I believe this is much better implementation to handle Javascipt comments. What do you think?