AngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.

A URL pattern that is too permissive can cause security vulnerabilities.

Make the whitelist URL patterns as restrictive as possible.

The following example shows an AngularJS application with whitelist URL patterns that all are too permissive.

This is problematic, since the four patterns match the following malicious URLs, respectively:

javascript://example.org/a%0A%0Dalert(1) (%0A%0D is a linebreak)
https://evil.com/?ignore=://example.com/a
https://example.evil.com
https://example.evilTld

OWASP/Google presentation: Securing AngularJS Applications

AngularJS Developer Guide: Format of items in resourceUrlWhitelist/Blacklist.