Comments are useful for maintaining software, but end users should not see them. They can also reveal information about possible security flaws, so extra care must be taken to ensure comments stay hidden from view.
For example, the traditional way to do HTML comments is below
<!-- BUG: This page still grants access if the user changes date on their PC to before 2000. Michael to fix. -->
But the above comment will be seen by anyone who views the HTML source of the web page, clearly not what the developer had in mind to show to customers or potential hackers. If correct JSP comment tags are used, the text is stripped out when the page is compiled:
<%-- This will be removed by the JSP compiler and never sent to the browser. --%>