feat(security): warn users when sanitizing in dev mode.

This should help developers to figure out what's going on when the sanitizer
strips some input.

Fixes #8522.

modules/@angular/platform-browser/src/security/html_sanitizer.ts

@@ -253,7 +253,7 @@ export function sanitizeHtml(unsafeHtml: string): string {
     }
 
     if (assertionsEnabled() && safeHtml !== unsafeHtml) {
-      DOM.log('WARNING: some HTML contents were removed during sanitization.');
+      DOM.log('WARNING: sanitizing HTML stripped some content.');
     }
 
     return safeHtml;

modules/@angular/platform-browser/src/security/style_sanitizer.ts

@@ -1,3 +1,6 @@
+import {getDOM} from '../dom/dom_adapter';
+import {assertionsEnabled} from '../../src/facade/lang';
+
 /**
  * Regular expression for safe style values.
  *
@@ -44,5 +47,10 @@ function hasBalancedQuotes(value: string) {
 export function sanitizeStyle(value: string): string {
   value = String(value);  // Make sure it's actually a string.
   if (value.match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) return value;
+
+  if (assertionsEnabled()) {
+    getDOM().log('WARNING: sanitizing unsafe style value ' + value);
+  }
+
   return 'unsafe';
 }

modules/@angular/platform-browser/src/security/url_sanitizer.ts

@@ -1,3 +1,6 @@
+import {getDOM} from '../dom/dom_adapter';
+import {assertionsEnabled} from '../../src/facade/lang';
+
 /**
  * A pattern that recognizes a commonly useful subset of URLs that are safe.
  *
@@ -27,6 +30,11 @@
 const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi;
 
 export function sanitizeUrl(url: string): string {
-  if (String(url).match(SAFE_URL_PATTERN)) return url;
+  url = String(url);
+  if (url.match(SAFE_URL_PATTERN)) return url;
+
+  if (assertionsEnabled()) {
+    getDOM().log('WARNING: sanitizing unsafe URL value ' + url);
+  }
   return 'unsafe:' + url;
 }