Aziz also expresses these worries: “The 2.0 version of its framework hasn’t been released and its biggest 1.x contributor is now working at Microsoft on fast so it remains to be seen what the future of the Aurelia framework [and its security] is,” he commented.
In the original discussion, @EisenbergEffect concluded this way:
I am not convinced that this addresses the concerns sufficiently. Many people will use the
sanitizeHTML value converter without knowing about the issues, especially if they started using it before the docs were edited in 2019. There’s no guarantee that they will see the warning in the console, either.
My suggestion would be the following:
HTMLSanitizerthrow an error in its
sanitize()function, requiring supplying a “real” implementation to work at all.
- Deprecate all previous versions of the aurelia-templating-resources NPM package, and possibly also aurelia-bootstrapper.
- (Perhaps too radical?) Make
innerhtml.bindrequire and use a sanitizer implementation, with an explicit option to override.