angular - 使用 DomSanitizer 后，图片网址仍然不安全

Question

我用 DocumentsService之后我使用 URL.createObjectURL(result) 从服务器获取图像文件从服务器响应创建图像 url，一切正常，但我不断收到关于 的错误sanitizing unsafe URL 并且看不到图像。

@Injectable()
export class DocumentsService {

    public url:string = 'api.server.url'

    constructor(private http: HttpClient , private dom: DomSanitizer) {
    }

    public getImageUrl(imageId: string): Observable<any> {

        let requestOptions = {
            params: {
                id: imageId
            },
            responseType: "blob"
        };

        return this._restClientService.get(this.url, requestOptions).map(result => {
            let url = URL.createObjectURL(result);
            return this.dom.bypassSecurityTrustUrl(url);   
        });
    }
}

在我的组件中，我注入(inject)了服务和

this._doc.getImageUrl(doc.id)
          .do(console.log) // => SafeUrlImpl {changingThisBreaksApplicationSecurity: "blob:http://localhost:4200/2b9b4820-c7d0-4920-a094-cb3e4cc47c7c"}
          .subscribe(url => this.photoUrl = url)
      }

在模板中我使用一个函数来检查使用是否有图像

public getImagePath(): string {
    if (this.photoUrl) {
      return this.photoUrl; //  after get the image from documents service
    }
    return FilesUrls.BlankAvatar;
  }

模板

<img src="{{getImagePath()}}" alt="user image">

我一直收到这个错误，我想我错过了一些东西

"WARNING: sanitizing unsafe URL value SafeValue must use [property]=binding: blob:http://localhost:4200/79dd8411-44a8-4e08-96d2-ad6d889c1056 (see http://g.co/ng/security#xss) (see http://g.co/ng/security#xss)"

Answer 1

我认为您不会退回您的SafeUrl在 bypassSecurityTrustUrl 之后.

查看有效的版本https://stackblitz.com/edit/angular-bqqumm

代码必须喜欢:

return this._restClientService.get(this.url, requestOptions).map(result => {
     let url = URL.createObjectURL(result);
     return this.dom.bypassSecurityTrustUrl(url);    
})