diff --git a/modules/config/URLProcessor.js b/modules/config/URLProcessor.js
index 8f1021dfe..5ab19f966 100644
--- a/modules/config/URLProcessor.js
+++ b/modules/config/URLProcessor.js
@@ -36,6 +36,12 @@ var URLProcessor = {
             if (key.indexOf("config.") === 0) {
                 confObj = configJSON.config;
                 confKey = key.substr("config.".length);
+
+                // prevent passing some parameters which can inject scripts
+                if (confKey === 'analyticsScriptUrl'
+                    || confKey === 'callStatsCustomScriptUrl')
+                    continue;
+
             } else if (key.indexOf("interfaceConfig.") === 0) {
                 confObj = configJSON.interfaceConfig;
                 confKey = key.substr("interfaceConfig.".length);