Img tag not working in ionic Beta 8

vardas · June 20, 2016, 1:41pm

I am moving my ionic project from ionic Beta 6 to ionic Beta 8. My code used to work but now I am getting a browser error when doing ionic serve --lab on my img tags.

It is falling over on this line:

<img class='photo-img' [hidden]="!showPhoto1" src='{{theMediaItem.photoURL1}}'>

The error I am getting is:

Error: Uncaught (in promise): EXCEPTION: Error in build/pages/veeu/veeu.html:74:124
ORIGINAL EXCEPTION: Error: unsafe value used in a resource URL context
ORIGINAL STACKTRACE:
[315]</DomSanitizationServiceImpl</DomSanitizationServiceImpl.prototype.sanitize@http://localhost:8100/build/js/app.bundle.js:44595:23
anonymous/_View_VeeUPage0.prototype.detectChangesInternal@VeeUPage.template.js:731:70
[221]</AppView</AppView.prototype.detectChanges@http://localhost:8100/build/js/app.bundle.js:33734:9
[221]</DebugAppView</DebugAppView.prototype.detectChanges@http://localhost:8100/build/js/app.bundle.js:33839:13

The code works fine under Beta 6 but not under Beta 8. Is there something I need to do?

EDIT:

The url it is complaining about is:

http://veeu-images.s3.amazonaws.com/media/userphotos/116_1464645173408_cdv_photo_007.jpg

iignatov · June 20, 2016, 6:18pm

I guess that this is due to the auto-sanitization in the latest RC (see the Angular 2 Changelog for details):

HTML, style values, and URLs are now automatically sanitized. Values that do not match are escaped or ignored. When binding a URL or style property that would get ignored, bind to a value explicitly marked as safe instead by injection the DOM sanitization service:

class MyComponent {
constructor(sanitizer: DomSanitizationService) {
// ONLY DO THIS FOR VALUES YOU KNOW TO BE SAFE! NEVER ALLOW USER DATA IN THIS!
this.safeStyleValue = sanitizer.bypassSecurityTrustStyle(‘rotate(90deg)’);
// then bind to safeStyleValue in your template.
}
}

vardas · June 20, 2016, 6:42pm

I have tried using DomSanitizationService but still get the same error. I have added

theMediaItem.photoURL1 = this.sanitizer.bypassSecurityTrustUrl(theURL);

But this still gives an error.

iignatov · June 20, 2016, 6:50pm

I guess that Angular uses some specific class to mark a value as safe. However in your code you’re just converting it to string (using the {{...}} syntax) so the bypass has no effect. Try binding the value to the attribute, i.e. update your code this way:

<img class='photo-img' [hidden]="!showPhoto1" [src]='theMediaItem.photoURL1'>

vardas · June 20, 2016, 7:02pm

I now have:

<img class='photo-img' [hidden]="!showPhoto1" [src]='theMediaItem.photoURL1'>

And

this.theMediaItem.photoURL1 = this.sanitizeURL(this.mediaItems[1].url);

Where sanitizeURL is:

  sanitizeURL(theURL){
    return this.sanitizer.bypassSecurityTrustUrl(theURL);
  }

I still get the same error message though. Is there some way to turn the sanitization off?

rapropos · June 20, 2016, 8:17pm

I copypasted the link to the image you posted and put it in a scratch project using just the <img [src]="imgSrc"> syntax, no messing with sanitization. Worked fine.

iignatov · June 20, 2016, 8:17pm

I’m not sure why though. I just tested it in plunker and it seems to work as expected. There are also more details in the following Angular 2 issue:

github.com/angular/angular

Interpolation breaks sanitization

opened 10:35AM - 16 Jun 16 UTC

closed 05:34PM - 20 Jun 16 UTC

kleijnweb

area: security

After updating to RC2 a component I was using to create iframes is throwing a se…curity exception in Chrome. **Current behavior** ``` browser_adapter.ts:74EXCEPTION: Error in http://localhost:4200/app/+legacy-iframe/legacy-iframe.component.js class LegacyIframeComponent - inline template:0:8BrowserDomAdapter.logError @ browser_adapter.ts:74BrowserDomAdapter.logGroup @ browser_adapter.ts:85ExceptionHandler.call @ exception_handler.ts:50(anonymous function) @ application_ref.ts:313schedulerFn @ async.ts:140SafeSubscriber.__tryOrUnsub @ Subscriber.ts:240SafeSubscriber.next @ Subscriber.ts:192Subscriber._next @ Subscriber.ts:133Subscriber.next @ Subscriber.ts:93Subject._finalNext @ Subject.ts:154Subject._next @ Subject.ts:144Subject.next @ Subject.ts:90EventEmitter.emit @ async.ts:125NgZone._zoneImpl.ng_zone_impl_1.NgZoneImpl.onError @ ng_zone.ts:134NgZoneImpl.inner.inner.fork.onHandleError @ ng_zone_impl.ts:87ZoneDelegate.handleError @ zone.js:327Zone.runTask @ zone.js:259drainMicroTaskQueue @ zone.js:474ZoneTask.invoke @ zone.js:426 browser_adapter.ts:74ORIGINAL EXCEPTION: Error: unsafe value used in a resource URL contextBrowserDomAdapter.logError @ browser_adapter.ts:74ExceptionHandler.call @ exception_handler.ts:62(anonymous function) @ application_ref.ts:313schedulerFn @ async.ts:140SafeSubscriber.__tryOrUnsub @ Subscriber.ts:240SafeSubscriber.next @ Subscriber.ts:192Subscriber._next @ Subscriber.ts:133Subscriber.next @ Subscriber.ts:93Subject._finalNext @ Subject.ts:154Subject._next @ Subject.ts:144Subject.next @ Subject.ts:90EventEmitter.emit @ async.ts:125NgZone._zoneImpl.ng_zone_impl_1.NgZoneImpl.onError @ ng_zone.ts:134NgZoneImpl.inner.inner.fork.onHandleError @ ng_zone_impl.ts:87ZoneDelegate.handleError @ zone.js:327Zone.runTask @ zone.js:259drainMicroTaskQueue @ zone.js:474ZoneTask.invoke @ zone.js:426 browser_adapter.ts:74ORIGINAL STACKTRACE:BrowserDomAdapter.logError @ browser_adapter.ts:74ExceptionHandler.call @ exception_handler.ts:66(anonymous function) @ application_ref.ts:313schedulerFn @ async.ts:140SafeSubscriber.__tryOrUnsub @ Subscriber.ts:240SafeSubscriber.next @ Subscriber.ts:192Subscriber._next @ Subscriber.ts:133Subscriber.next @ Subscriber.ts:93Subject._finalNext @ Subject.ts:154Subject._next @ Subject.ts:144Subject.next @ Subject.ts:90EventEmitter.emit @ async.ts:125NgZone._zoneImpl.ng_zone_impl_1.NgZoneImpl.onError @ ng_zone.ts:134NgZoneImpl.inner.inner.fork.onHandleError @ ng_zone_impl.ts:87ZoneDelegate.handleError @ zone.js:327Zone.runTask @ zone.js:259drainMicroTaskQueue @ zone.js:474ZoneTask.invoke @ zone.js:426 browser_adapter.ts:74Error: unsafe value used in a resource URL context at DomSanitizationServiceImpl.sanitize (dom_sanitization_service.ts:126) at DebugAppView._View_LegacyIframeComponent0.detectChangesInternal (LegacyIframeComponent.template.js:32) at DebugAppView.AppView.detectChanges (view.ts:255) at DebugAppView.detectChanges (view.ts:372) at DebugAppView.AppView.detectViewChildrenChanges (view.ts:283) at DebugAppView._View_LegacyIframeComponent_Host0.detectChangesInternal (LegacyIframeComponent_Host.template.js:30) at DebugAppView.AppView.detectChanges (view.ts:255) at DebugAppView.detectChanges (view.ts:372) at DebugAppView.AppView.detectContentChildrenChanges (view.ts:275) at DebugAppView._View_VspNg2AppComponent0.detectChangesInternal (VspNg2AppComponent.template.js:322) ``` It did not originally have the "register as safe" call (when I was still using RC1, which worked), but I found similar solutions referenced that would be the correct way to do it. Doesn't change anything though, and the URL is far from suspicious right now. ``` import { Component } from '@angular/core'; import {DomSanitizationService, SafeResourceUrl} from '@angular/platform-browser'; @Component({ moduleId: module.id, selector: 'legacy-iframe', template: '<iframe src="{{ url }}"></iframe>' }) export class LegacyIframeComponent { public url:SafeResourceUrl; constructor(private sanitationService:DomSanitizationService) { this.url = sanitationService.bypassSecurityTrustResourceUrl('/foo'); } } ``` I'd also be content with a workaround for now, like disabling the security altogether..

vardas · June 21, 2016, 7:55am

What version of Angular 2 are you using?

rapropos · June 21, 2016, 8:06am

pad pad stupid forum software rc2.

vardas · June 21, 2016, 8:22am

Ok well it looks like my setup is screwed somehow so I will start from a fresh install and see if that fixes it.