Rules for detecting security issues in Angular 1.x
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

AngularJS Security Rules For ESLint

These rules are to supplement the security issues documented in my talks at OWASP London and FluentConf around AngularJS Security.

They are currently used as points of interest that would need to be investigate further, but in the upcoming releases they will be a lot more useful when developers write code.


These rules can be used by downloading the Config which includes the installation settings.


The current ruleset supports only Angular 1.x issues, and can be noisy, but they are a work in progress.

Current rules are:

  • detect-angular-element-methods
  • detect-angular-open-redirect
  • detect-angular-orderBy-expressions
  • detect-angular-resource-loading
  • detect-angular-sce-disabled
  • detect-angular-scope-expressions
  • detect-angular-service-expressions
  • detect-angular-trustAs-methods
  • detect-angular-trustAsCss-method
  • detect-angular-trustAsHtml-method
  • detect-angular-sce-disabled
  • detect-angular-trustAsJs-method
  • detect-angular-trustAsResourceUrl-method
  • detect-angular-trustAsUrl-method
  • detect-third-party-angular-translate


  • Each rule needs better detection, and possibly taint analysis
  • Add more rules related to Angular 1.0 - 5 in mind.
  • Add Angular 2/4 security issues such as bypassSecurityTrustHtml

If you feel anything is missing or would like to see additional rules added, feel free to write an issue