feat(sanitizer): throw instead

src/html-sanitizer.ts

@@ -1,8 +1,3 @@
-import { getLogger } from 'aurelia-logging';
-
-const SCRIPT_REGEX = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
-let needsToWarn = true;
-
 /**
  * Default Html Sanitizer to prevent script injection.
  */
@@ -12,15 +7,7 @@ export class HTMLSanitizer {
    * @param input The input to be sanitized.
    */
   sanitize(input) {
-    if (needsToWarn) {
-      needsToWarn = false;
-
-      getLogger('html-sanitizer')
-        .warn(`CAUTION: The default HTMLSanitizer does NOT provide security against a wide variety of sophisticated XSS attacks,
-and should not be relied on for sanitizing input from unknown sources.
+    throw new Error(`To protect the application against a wide variety of sophisticated XSS attacks.
 Please see https://aurelia.io/docs/binding/basics#element-content for instructions on how to use a secure solution like DOMPurify or sanitize-html.`);
-    }
-
-    return input.replace(SCRIPT_REGEX, '');
   }
 }

test/sanitize-html.spec.ts

@@ -9,21 +9,8 @@ describe('SanitizeHtmlValueConverter', () => {
     converter = new SanitizeHTMLValueConverter(new HTMLSanitizer());
   });
 
-  it('defaultSanitizer should remove script tags', () => {
-    let a = '<script src="http://www.evil.org"></script>',
-        b = '<div><script src="http://www.evil.org"></script></div>',
-        c = 'foo <script src="http://www.evil.org"></script> bar',
-        d = '<div></div>',
-        e = 'foo bar';
-
-    expect(converter.toView('')).toBe('');
-    expect(converter.toView(null)).toBe(null);
-    expect(converter.toView(undefined)).toBe(null);
-    expect(converter.toView(a)).toBe('');
-    expect(converter.toView(b)).toBe('<div></div>');
-    expect(converter.toView(c)).toBe('foo  bar');
-    expect(converter.toView(d)).toBe('<div></div>');
-    expect(converter.toView(e)).toBe('foo bar');
+  it('defaultSanitizer should throw', () => {
+    expect(() => converter.toView('')).toThrow();
   });
 
   it('custom sanitizers can be used', () => {