no-angular-sanitization-trusted-urls

Disallow AngularJS trusted URL list mutations that weaken sanitizer defaults.

Targeted pattern scope

This rule targets calls that mutate AngularJS trusted URL list settings:

$compileProvider.aHrefSanitizationTrustedUrlList(...)
$compileProvider.imgSrcSanitizationTrustedUrlList(...).

What this rule reports

This rule reports direct calls that broaden which URL patterns AngularJS treats as trusted for links and image sources.

Why this rule exists

Relaxing trusted URL lists can enable unsafe protocols or domains and increase XSS and data exfiltration risk.

❌ Incorrect

$compileProvider.aHrefSanitizationTrustedUrlList(/.*/);
$compileProvider.imgSrcSanitizationTrustedUrlList(/.*/);

✅ Correct

// Keep framework defaults unless a narrow, reviewed allow-list is required.

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-angular-sanitization-trusted-urls": "error",
  },
 },
];

When not to use it

Disable only for legacy AngularJS deployments where URL list updates are strictly reviewed and monitored.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​