I have a trivial case of file uploading.
Usecase:
User uploads images/videos/audio where internal url created from URL.createObjectURL() is used in
<img/video/audio src="url">.User uploads other files (mime is not image/audio/video) that are passed directly to form-data upload to backend.
The issue is that angular doesn't like urls created as URL.createObjectURL() and goes on with WARNING: sanitizing unsafe URL value blob:... and adds unsafe: to each of them.
I am looking on other questions like Unsafe value used in a resource URL context with Angular 2 which are all resolved by bypassing angular sanitization via this.sanitizer.bypassSecurityTrustUrl() however they mention nothing about security concerns.
Why would angular sanitizer treat them as insecure? I know what XSS is but don't have any background about possible attack vectors in a trivial case of using URL.createObjectURL() urls in something like <img src=""/>, in other words are object URLs on img XSS exploitable? or angular is just treating them as insecure to help protect us from carelessly/unintentionally injecting into any js-executable part of DOM?
Another thing is that once I change from object url to FileReader.readAsDataURL() data urls, sanitizer start complaining only on videos. I have found a similar issue(svg) at https://github.com/angular/angular/issues/18950 which seems like angular issue
Hello
– Vitaliy Kuznetsov Apr 20 '22 at 14:46