diff --git a/src/html-sanitizer.ts b/src/html-sanitizer.ts
index b8787c6..88c4f1a 100644
--- a/src/html-sanitizer.ts
+++ b/src/html-sanitizer.ts
@@ -1,8 +1,3 @@
-import { getLogger } from 'aurelia-logging';
-
-const SCRIPT_REGEX = /)<[^<]*)*<\/script>/gi;
-let needsToWarn = true;
-
/**
* Default Html Sanitizer to prevent script injection.
*/
@@ -12,15 +7,7 @@ export class HTMLSanitizer {
* @param input The input to be sanitized.
*/
sanitize(input) {
- if (needsToWarn) {
- needsToWarn = false;
-
- getLogger('html-sanitizer')
- .warn(`CAUTION: The default HTMLSanitizer does NOT provide security against a wide variety of sophisticated XSS attacks,
-and should not be relied on for sanitizing input from unknown sources.
+ throw new Error(`To protect the application against a wide variety of sophisticated XSS attacks.
Please see https://aurelia.io/docs/binding/basics#element-content for instructions on how to use a secure solution like DOMPurify or sanitize-html.`);
- }
-
- return input.replace(SCRIPT_REGEX, '');
}
}
diff --git a/test/sanitize-html.spec.ts b/test/sanitize-html.spec.ts
index 084705f..a5a0f4c 100644
--- a/test/sanitize-html.spec.ts
+++ b/test/sanitize-html.spec.ts
@@ -9,21 +9,8 @@ describe('SanitizeHtmlValueConverter', () => {
converter = new SanitizeHTMLValueConverter(new HTMLSanitizer());
});
- it('defaultSanitizer should remove script tags', () => {
- let a = '',
- b = '',
- c = 'foo bar',
- d = '',
- e = 'foo bar';
-
- expect(converter.toView('')).toBe('');
- expect(converter.toView(null)).toBe(null);
- expect(converter.toView(undefined)).toBe(null);
- expect(converter.toView(a)).toBe('');
- expect(converter.toView(b)).toBe('');
- expect(converter.toView(c)).toBe('foo bar');
- expect(converter.toView(d)).toBe('');
- expect(converter.toView(e)).toBe('foo bar');
+ it('defaultSanitizer should throw', () => {
+ expect(() => converter.toView('')).toThrow();
});
it('custom sanitizers can be used', () => {