Unsafe protocol in the embed tag


I’m using a query parameter (lets call it url), to set a src of an embed tag on my page.

So going to localhost:4200/show?url=“http://outsideresource.com/image.svg” should give you a page with the svg image embedded.

The minimal template for page show would look like this: <embed src="{{page}}"/>

But somehow “http://outsideresource.com/image.svg” gets replaced with “unsafe:http://outsideresource.com/image.svg”.

Does anybody know why?


I think it comes from the sanitizeAttributeValue sub in ember.js itself. Not sure how to overwrite it.


I managed to bypass the problems, by wrapping the embed with a component, and setting the src attribute on didInsertElement.

export default Ember.Component.extend({                
  tagName: "embed",                                    
  classNames: ['full-size'],                           
  didInsertElement() {                                 
    this.$().attr("src", this.get("source"));          


Wow! Interesting solution.