Safe value must use [property]=binding after bypass security with DomSanitizer

See original GitHub issue

[X ] bug report => search github for a similar issue or PR before submitting [ ] feature request [ ] support request => Please do not submit support request here, instead see

Current behavior Trying to set source of HTMLAudioElement programatically returns error that Safe value must use [property]=binding.

Expected behavior After bypass security there should be no error about safe value.

Minimal reproduction of the problem with instructions https://plnkr.co/edit/JitVPcTJbTIzq6ylynZW?p=preview

let audioPlayer: HTMLAudioElement = this.playerRef.nativeElement;
audioPlayer.src = this.domSanitizer.bypassSecurityTrustResourceUrl(value) as string;

Please tell us about your environment:

Angular version: 2.4.1
Browser: Tested on Chromium 55.0.2883.87
Language: Tested on Typescript 2.0.1
Node (for AoT issues): node --version = 6.0

Issue Analytics

State:
Created 7 years ago
Comments:9 (3 by maintainers)

Top GitHub Comments

8reactions

lluzcommented, Feb 15, 2017

Bind ‘src’ to the audio element (src/app.html):

<audio #player style="width: 100%" controls="controls" [src]="srcValue">

Pass the url by setting ‘srcValue’

export class App {
  @ViewChild('player')
  private playerRef: ElementRef;
  
  name:string;
  srcValue: string;
  
  constructor(private domSanitizer: DomSanitizer) {
    this.name = 'Angular2';
  }
  
  buttonClickHandler(){
    let URL = 'http://www.soundhelix.com/examples/mp3/SoundHelix-Song-1.mp3';
    let audioPlayer: HTMLAudioElement = this.playerRef.nativeElement;
    this.srcValue = this.domSanitizer.bypassSecurityTrustResourceUrl(URL);
  }
}

Result: https://plnkr.co/edit/L2bnfa0su03SRC7bod6i?p=preview

3reactions

rjametcommented, Jan 24, 2017

Hi,

You’re hitting the SafeSomething.toString function: https://github.com/angular/angular/blob/master/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts#L210

I took a look, and I think your repro mixes two patterns: the playerRef -> nativeElement you’re using gives you direct access to the DOM element, outside of Angular’s mechanisms. You’re passing the wrapped value returned by bypassSecurity, but you’re already outside of Angular with the direct DOM access, and you can assign directly your value (https://plnkr.co/edit/nf8ZcGGVVDrSpdpS7Nih?p=preview). That error you see is just the DOM function stringifying the safe type.

If you want to stay within Angular, you’d need the wrapped type to bind on the audio src attribute (like so: https://plnkr.co/edit/HjBH6wv7OfpkPJA71J6l?p=preview).

I guess you had the WARNING: sanitizing unsafe URL value blob:http://localhost:4200/... (see http://g.co/ng/security#xss) error earlier when trying to bind the value?