From 0ed95422c1441753194a5101810a5968a838439f Mon Sep 17 00:00:00 2001
From: bigopon <bigopon.777@gmail.com>
Date: Fri, 25 Mar 2022 00:57:16 +1100
Subject: [PATCH] feat(sanitizer): throw instead

---
 src/html-sanitizer.ts      | 15 +--------------
 test/sanitize-html.spec.ts | 17 ++---------------
 2 files changed, 3 insertions(+), 29 deletions(-)

diff --git a/src/html-sanitizer.ts b/src/html-sanitizer.ts
index b8787c6..88c4f1a 100644
--- a/src/html-sanitizer.ts
+++ b/src/html-sanitizer.ts
@@ -1,8 +1,3 @@
-import { getLogger } from 'aurelia-logging';
-
-const SCRIPT_REGEX = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
-let needsToWarn = true;
-
 /**
  * Default Html Sanitizer to prevent script injection.
  */
@@ -12,15 +7,7 @@ export class HTMLSanitizer {
    * @param input The input to be sanitized.
    */
   sanitize(input) {
-    if (needsToWarn) {
-      needsToWarn = false;
-
-      getLogger('html-sanitizer')
-        .warn(`CAUTION: The default HTMLSanitizer does NOT provide security against a wide variety of sophisticated XSS attacks,
-and should not be relied on for sanitizing input from unknown sources.
+    throw new Error(`To protect the application against a wide variety of sophisticated XSS attacks.
 Please see https://aurelia.io/docs/binding/basics#element-content for instructions on how to use a secure solution like DOMPurify or sanitize-html.`);
-    }
-
-    return input.replace(SCRIPT_REGEX, '');
   }
 }
diff --git a/test/sanitize-html.spec.ts b/test/sanitize-html.spec.ts
index 084705f..a5a0f4c 100644
--- a/test/sanitize-html.spec.ts
+++ b/test/sanitize-html.spec.ts
@@ -9,21 +9,8 @@ describe('SanitizeHtmlValueConverter', () => {
     converter = new SanitizeHTMLValueConverter(new HTMLSanitizer());
   });
 
-  it('defaultSanitizer should remove script tags', () => {
-    let a = '<script src="http://www.evil.org"></script>',
-        b = '<div><script src="http://www.evil.org"></script></div>',
-        c = 'foo <script src="http://www.evil.org"></script> bar',
-        d = '<div></div>',
-        e = 'foo bar';
-
-    expect(converter.toView('')).toBe('');
-    expect(converter.toView(null)).toBe(null);
-    expect(converter.toView(undefined)).toBe(null);
-    expect(converter.toView(a)).toBe('');
-    expect(converter.toView(b)).toBe('<div></div>');
-    expect(converter.toView(c)).toBe('foo  bar');
-    expect(converter.toView(d)).toBe('<div></div>');
-    expect(converter.toView(e)).toBe('foo bar');
+  it('defaultSanitizer should throw', () => {
+    expect(() => converter.toView('')).toThrow();
   });
 
   it('custom sanitizers can be used', () => {