From 82beb9bec2563c7cda6a2356823853a29db9aab2 Mon Sep 17 00:00:00 2001
From: Rob Eisenberg <rob@bluespire.com>
Date: Wed, 27 Mar 2019 20:35:15 -0700
Subject: [PATCH] fix(html-sanitizer): only warn if sanitization is attempted

---
 src/html-sanitizer.js | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/html-sanitizer.js b/src/html-sanitizer.js
index 5825413..a149dc0 100644
--- a/src/html-sanitizer.js
+++ b/src/html-sanitizer.js
@@ -1,23 +1,26 @@
 import { getLogger } from 'aurelia-logging';
 
 const SCRIPT_REGEX = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
+let needsToWarn = true;
 
 /**
 * Default Html Sanitizer to prevent script injection.
 */
 export class HTMLSanitizer {
-  constructor() {
-    getLogger('html-sanitizer')
-      .warn(`CAUTION: The default HTMLSanitizer does NOT provide security against a wide variety of sophisticated XSS attacks,
-      and should not be relied on for sanitizing input from unknown sources.
-      Please see https://aurelia.io/docs/binding/basics#element-content for instructions on how to use a secure solution like DOMPurify or sanitize-html.`);
-  }
-
   /**
   * Sanitizes the provided input.
   * @param input The input to be sanitized.
   */
   sanitize(input) {
+    if (needsToWarn) {
+      needsToWarn = false;
+
+      getLogger('html-sanitizer')
+        .warn(`CAUTION: The default HTMLSanitizer does NOT provide security against a wide variety of sophisticated XSS attacks,
+        and should not be relied on for sanitizing input from unknown sources.
+        Please see https://aurelia.io/docs/binding/basics#element-content for instructions on how to use a secure solution like DOMPurify or sanitize-html.`);
+    }
+
     return input.replace(SCRIPT_REGEX, '');
   }
 }