You need to explicitly tell Angular2 that the string is trusted
https://angular.io/docs/ts/latest/api/platform-browser/index/DomSanitizer-class.html
constructor(private sanitizer:DomSanitizer) {}
get imgBase64() {
this.sanitizer.bypassSecurityTrustUrl('data:image/png;base64,$SomeBase64StringFetchedSomehow');
}
<img alt="RegularImage" [src]="imgBase64">
See also In RC.1 some styles can’t be added using binding syntax