Comments (9)
@metalaureate, as explained, Angular 1 and 2 will always sanitize data that gets injected into the DOM, it will not respect any CSP rules present, thus also in Angular 1 you need to whitelist the cdvphotolibrary
protocol like so:
var app = angular
.module('myApp', [])
.config([
'$compileProvider',
function ($compileProvider) {
$compileProvider.aHrefSanitizationWhitelist(/^\s*(https?|ftp|mailto|cdvphotolibrary):/);
// Angular before v1.2 uses $compileProvider.urlSanitizationWhitelist(...)
}
]);
from cordova-plugin-photo-library.
Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values (source)
@viskin, the cdvfile://
and cdvphotolibrary://
'prefixes' are (indeed) both treated as unsafe, I've tested both plugins. The CSP meta tag can be seen as the first layer of defense, but as we've seen, Angular has its own.
So as a note to the use of Ionic 2, one can construct a Pipe, to sanitize the URL's used in this plugin. Another solution might be returning a blob
or ArrayBuffer
(instead of URL's), as implemented in this cordova-plugin-photos.
@Pipe({name: 'safeUrl'})
export class Safe {
constructor(private sanitizer:DomSanitizer){}
transform(url) {
return this.sanitizer.bypassSecurityTrustUrl(url);
}
}
@Component({
selector: 'app',
template: '<img [src]="url | safeUrl"></div>',
pipes: [
SanitizeHtml
]
})
export class AppComponent{
public url: string = 'placeholder.jpg';
constructor() {
// fetch thumbnail URL's
this.url = libraryItem.thumbnailURL;
}
}
from cordova-plugin-photo-library.
I have some issues with sanatization. The guideline for Angular 2 in the Readme is not correct.
...
@Component({ selector: 'app', template: '<img [src]="url | safeUrl"></div>', pipes: [ SafeUrl ] })
...
With my little research , I saw that Pipes cannot be declared inside component anymore. They should be declared in NgModules . Notice also the closing tag inside template. It should be img instead of div.
However, even after doing that, I get SafeValue must use [property]=binding: cdvphotolibrary://photo?photoId=65E0377C-1838-4FC8-990F-34801BA0F6A9%2FL0%2F001 (see http://g.co/ng/security#xss)
Does anybody else has this issue in ios ?
from cordova-plugin-photo-library.
Nice finding. I don't use ng2 in my current project, so I cannot tell exactly what's going on here, but...
It's interesting why DomSanitizer decides to add unsafe: prefix to cdvphotolibrary protocol? cordova-plugin-file uses cdvfile:// protocol, do you use it in your app? I wonder if cdvfile:// also needs to be manually trusted with ng2?
Anyway, if you will use PipeTransform to perform bypassSecurityTrustUrl on cdvphotolibrary urls, in a way described here, will it work and will it be convenient enough? If so, we can recommend this solution in README.
from cordova-plugin-photo-library.
@viskin Apologies if this is not the same issue--I'm using Angular 1.5 and I get this error when I try to construct the url:
Refused to load unsafe:cdvphotolibrary://photo?photoId=5F347FD6-7D84-4208-BA29-BD4C5735525D%2FL0%2F001 because it does not appear in the img-src directive of the Content Security Policy.
My CSP tag looks like:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: cdvphotolibrary:">
from cordova-plugin-photo-library.
Great, I will add this info to README.
Thank you.
@dnmd, we already support returning blob instead of url with photoLibrary.getThumbnail and photoLibrary.getPhoto.
from cordova-plugin-photo-library.
@arberK Thanks, I updated the readme.
from cordova-plugin-photo-library.
Have the same issue of @arberK. @viskin, how can the bypass be achieved?
from cordova-plugin-photo-library.
Can anybody give the syntax for IONIC 1 i.e angular 1 as i have project running in Angular 1. Any help is highly appreciated.
from cordova-plugin-photo-library.
Related Issues (20)
- ERROR: Method 'requestAuthorization:' not defined in Plugin 'PhotoLibrary'
- Get photo library on ios 13.2.*+
- Success never shows up when no photos in library
- Complier Error
- undeclared type 'CDVURLProtocol' HOT 2
- how can i save a image with base64
- android 10 support (SDK 29) - get error when saving an image HOT 2
- Dependecy cordova-plugin-add-swift-support version="^2.0.2" is not working. UPDATE for earlier swift versions. HOT 1
- Using “requireCordovaModule” to load non-cordova module “glob” is not supported HOT 4
- Using “requireCordovaModule” to load non-cordova module “glob” is not supported HOT 1
- Getting "open failed: EACCES permission denied" even I have permissions. Android 10 HOT 4
- Can't build in IOS xcode HOT 6
- saveVideo ios 10+ 保存失败? HOT 1
- android 11 support (SDK 30) - get error when saving an image HOT 7
- Way to cancel getLibrary process? HOT 1
- i am not able to access specific album library based of id of album?any you help me
- Issue in Android 11 SDK 30 HOT 2
- img src = cdvphotolibrary://... err_unknown_url_scheme && android sdk > 30
- On Android 12, use the cordova.plugins.photoLibrary.saveImage method to save the image and then the APP will flash back HOT 3
- BSF Cordova Ecosystem Crowdfunding Plan
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cordova-plugin-photo-library.