By DeepSource

Detected insecure whitelisting of URLs in AngularJS JS-S1023

Security a04 owasp top 10 angularjs cwe-183 cwe-625

Overly permissive patterns for whitelisted URLs can introduce security vulnerabilities.

The trustedResourceUrlList or resourceUrlWhitelist(deprecated) in $sceDelegateProvider allows you to whitelist URLs that are considered safe for sourcing templates, or running scripts within your AngularJS application.

The trustedResourceUrlList or resourceUrlWhitelist can have URLs as patterns using wildcard sequences like '' and ''. '' matches zero or more occurrences of any character other than one of the following 6 characters: ':', '/', '.', '?', '&' and ';'. '' matches zero or more occurrences of any character.

Using wildcard sequences in the URL protocol (scheme), domain, etc can make it match more variations of the URL than intended.

Bad Practice

angular.module('myApp', []).config(function($sceDelegateProvider) {
    '**://', // will also allow `javascript://`
    'https://**', // will also allow ``
    'https://home.**.com', // will also allow ``


angular.module('myApp', []).config(function($sceDelegateProvider) {