CodeQL documentation

Insecure URL whitelist

ID: js/angular/insecure-url-whitelist
Kind: problem
Severity: warning
Precision: very-high
   - security
   - frameworks/angularjs
   - external/cwe/cwe-183
   - external/cwe/cwe-625
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

AngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.

A URL pattern that is too permissive can cause security vulnerabilities.


Make the whitelist URL patterns as restrictive as possible.


The following example shows an AngularJS application with whitelist URL patterns that all are too permissive.

angular.module('myApp', [])
    .config(function($sceDelegateProvider) {
            "*://*", // BAD
            "https://***", // BAD
            "https://example.**", // BAD
            "https://example.*" // BAD

This is problematic, since the four patterns match the following malicious URLs, respectively:

  • javascript:// (%0A%0D is a linebreak)



  • https://example.evilTld