codeql/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js

angular.module('myApp', [])
    .directive('myCustomer', function() {
        return {
            templateUrl: "SAFE" // OK
        }
    })
    .directive('myCustomer', function() {
        return {
            templateUrl: Cookie.get("unsafe") // NOT OK
        }
    });

addEventListener('message', (ev) => {
    Cookie.set("unsafe", ev.data);
});