I apologize to everyone here. I forgot to follow-up on this thread.
The concern that was raised was with Aurelia’s internal HTMLSanitizer. However, per our docs, we indicate that it’s only a dev version and should not be used in production. So, there’s not really a security issue. We’ve updated our docs to add further clarity and guidance on how to replace the sanitizer with a production-grade implementation. We’ve also shipped an update that prints a warning to the console when you use our sanitizer.