9

I am trying to render base64 string into <img src='data:image/png;base64,${Here}'.

But always when I try to render it, ng2 sanitizing my base64 string before rendering it adds something into my value before showing it in DOM. I have found workaround(using DomSanitizer) but it doesn't work on latest versions.

Here is my markup:

<img alt="RegularImage" src="data:image/png;base64,{{imgBase64}}">

And here is my component part:

imgBase64="SomeBase64StringFetchedSomehow";

But angular2 is showing in console next message - WARNING: sanitizing unsafe URL value

How to prevent NG2 from sanitizing my base64 string?

Update

get getImg() {
    return this._sanitizer.sanitize(SecurityContext.URL,`data:image/png;base64,${this.img}`);
}

Doesn't solve this issue. DomSanitizer class does not exists anymore in RC6

Improve this question
2
  • 1
    Why are you not using final instead of RC.6? Commented Sep 16, 2016 at 6:01
  • Just tryied with RC.7 and release version of angular2. Commented Sep 16, 2016 at 6:51

3 Answers 3

Reset to default
10

You need to explicitly tell Angular2 that the string is trusted

https://angular.io/docs/ts/latest/api/platform-browser/index/DomSanitizer-class.html

constructor(private sanitizer:DomSanitizer) {}

get imgBase64() {
  this.sanitizer.bypassSecurityTrustUrl('data:image/png;base64,$SomeBase64StringFetchedSomehow');
}

<img alt="RegularImage" [src]="imgBase64">

See also In RC.1 some styles can't be added using binding syntax

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

There is no DomSanitizer class anymore. I was trying to use new one - Sanitizer but it failed with same error. return this._sanitizer.sanitize(SecurityContext.URL,data:image/png;base64,${this.img});
Of course there is. Check the link in my answer (import info is at the bottom of the site). (Previously it was named DomSanitizationService)
Module '".../node_modules/@angular/core/index"' has no exported member 'DomSanitizer'
As I mentioned above it was renamed. I guess in RC.7 so you probably need to use DomSanitizationService or perhaps DomSanitizerService (don't remember exactly) (or update to final)
Not sure why some people say it doesn't work. It works fine in Angular 8
|
4

After few hours of researches I have finally found that in latest version of ng2 there is no DomSanitizer that can be injected using DI, however there is Sanitizer. So here is the usage:

constructor( private _sanitizer: Sanitizer){
}

get getImg() {
    return this._sanitizer.sanitize(SecurityContext.URL, `data:image/png;base64,${this.img}`);
}

<input src="{{getImg}}"/>

As you can see first argument of sanitize method is SecurityContext instance, which basically is enum. So right now Sanitizer is a factory which choose the implementation to use based on SecurityContext

In my case I had a problem that my base64 was sanitized before that get, that why I was not able to get it working.

Improve this answer

Comments

4

After unsuccessfully trying to get the bypassSecurityTrust... functions to work, I resorted to the following:

@ViewChild('div_element_id') private div_element_id: ElementRef;
...

this.div_element_id.nativeElement.innerHTML = bypass_security_for_this_html;
Improve this answer

2 Comments

Oh, my. No. This should never be done. Bypassing sanitazation leaves you open to XSS attacks.
Not if the html is trusted, for example, it was created in a CMS.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.