Unsafe protocol in the embed tag

lodrantl · March 17, 2016, 2:00pm

I’m using a query parameter (lets call it url), to set a src of an embed tag on my page.

So going to localhost:4200/show?url=“http://outsideresource.com/image.svg” should give you a page with the svg image embedded.

The minimal template for page show would look like this: <embed src="{{page}}"/>

But somehow “http://outsideresource.com/image.svg” gets replaced with “unsafe:http://outsideresource.com/image.svg”.

Does anybody know why?

broerse · March 19, 2016, 12:17pm

I think it comes from the sanitizeAttributeValue sub in ember.js itself. Not sure how to overwrite it.

lodrantl · March 22, 2016, 8:03pm

I managed to bypass the problems, by wrapping the embed with a component, and setting the src attribute on didInsertElement.

export default Ember.Component.extend({                
  tagName: "embed",                                    
  classNames: ['full-size'],                           
                                                      
  didInsertElement() {                                 
    this.$().attr("src", this.get("source"));          
  }                                                    
});

broerse · March 22, 2016, 8:34pm

Wow! Interesting solution.

Topic		Replies	Views
How to bind a javascript href and bypass XSS unsafe protection?	1	2332	March 29, 2016
Restricting access to images Ember Data	8	830	March 20, 2021
Best practice to deal with 404 error on images in emberJS	3	3489	December 4, 2014
Can't use external images	31	7397	October 8, 2013
Ember content security policy error while following new emberjs guides?	2	2410	December 10, 2015

Unsafe protocol in the embed tag

Related Topics