I upgraded to RC1 which caused the previous solution for Beta 17 to no longer work, so I tried using the sanitizer but that causes problems for styles that may have embedded single quotes.

This statement:

sanitizer.bypassSecurityTrustStyle('url(/pImages/' + this.recipientId + '.jpg)'); 

gets converted into this:

style="background-image: url("/pImages/57211a89b65ff1be3edd14c9.jpg");" 

and the double quote mark right after url( ends the style string and breaks it.

So I tried manually inserting the single quote markers:

 sanitizer.bypassSecurityTrustStyle("url(\'/pImages/" + this.recipientId + ".jpg)\'");  

But it converts those single quotes to double quotes and gives the same result, breaking the style string.

Just to close the loop, there is no code adding single or double quotes to URLs during sanitization, this was Chrome Dev Tools being misleading by displaying double quotes. I think the actual problem was that the URL wasn't correct, or something along those lines.