no-angularjs-sanitization-whitelist

Disallow AngularJS sanitization whitelist mutations that expand trusted inputs.

Targeted pattern scope

This rule targets writes and calls that configure:

$compileProvider.aHrefSanitizationWhitelist(...)
$compileProvider.imgSrcSanitizationWhitelist(...).

What this rule reports

This rule reports allow-list mutations that broaden URL patterns accepted by the AngularJS sanitizer.

Why this rule exists

Overly broad sanitizer allow-lists can permit unsafe protocols or payloads and increase XSS risk.

❌ Incorrect

$compileProvider.aHrefSanitizationWhitelist(/.*/);
$compileProvider.imgSrcSanitizationWhitelist(/.*/);

✅ Correct

// Keep default AngularJS sanitizer allow-lists.

ESLint flat config example

import sdl from "eslint-plugin-sdl-2";

export default [
 {
  plugins: { sdl },
  rules: {
   "sdl/no-angularjs-sanitization-whitelist": "error",
  },
 },
];

When not to use it

Disable only when a migration requires temporary allow-list expansion that is strictly bounded and reviewed.

Package documentation

Rule source

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​