diff --git a/src/ui/public/stringify/__tests__/_url.js b/src/ui/public/stringify/__tests__/_url.js
index 2444766e59422..6c44543ba2240 100644
--- a/src/ui/public/stringify/__tests__/_url.js
+++ b/src/ui/public/stringify/__tests__/_url.js
@@ -44,11 +44,11 @@ describe('Url Format', function () {
 
     describe('url template', function () {
       it('accepts a template', function () {
-        const url = new Url({ urlTemplate: 'url: {{ value }}' });
+        const url = new Url({ urlTemplate: 'http://{{ value }}' });
         const $a = unwrap($(url.convert('url', 'html')));
         expect($a.is('a')).to.be(true);
         expect($a.size()).to.be(1);
-        expect($a.attr('href')).to.be('url: url');
+        expect($a.attr('href')).to.be('http://url');
         expect($a.attr('target')).to.be('_blank');
         expect($a.children().size()).to.be(0);
       });
@@ -61,11 +61,11 @@ describe('Url Format', function () {
 
     describe('label template', function () {
       it('accepts a template', function () {
-        const url = new Url({ labelTemplate: 'extension: {{ value }}' });
+        const url = new Url({ labelTemplate: 'extension: {{ value }}', urlTemplate: 'http://www.{{value}}.com' });
         const $a = unwrap($(url.convert('php', 'html')));
         expect($a.is('a')).to.be(true);
         expect($a.size()).to.be(1);
-        expect($a.attr('href')).to.be('php');
+        expect($a.attr('href')).to.be('http://www.php.com');
         expect($a.html()).to.be('extension: php');
       });
 
@@ -109,5 +109,23 @@ describe('Url Format', function () {
         });
       });
     });
+
+    describe('whitelist', function () {
+      it('should spit out the raw value if the value is not in the whitelist', function () {
+        const url = new Url();
+
+        expect(url.convert('www.elastic.co', 'html'))
+        .to.be('<span ng-non-bindable>www.elastic.co</span>');
+
+        expect(url.convert('elastic.co', 'html'))
+        .to.be('<span ng-non-bindable>elastic.co</span>');
+
+        expect(url.convert('elastic', 'html'))
+        .to.be('<span ng-non-bindable>elastic</span>');
+
+        expect(url.convert('ftp://elastic.co', 'html'))
+        .to.be('<span ng-non-bindable>ftp://elastic.co</span>');
+      });
+    });
   });
 });
diff --git a/src/ui/public/stringify/types/url.js b/src/ui/public/stringify/types/url.js
index 08543b8bfe570..17c33845b11ea 100644
--- a/src/ui/public/stringify/types/url.js
+++ b/src/ui/public/stringify/types/url.js
@@ -8,7 +8,7 @@ import { getHighlightHtml } from 'ui/highlight';
 export function stringifyUrl(Private) {
 
   const FieldFormat = Private(IndexPatternsFieldFormatProvider);
-
+  const whitelistUrlSchemes = ['http://', 'https://'];
 
   _.class(Url).inherits(FieldFormat);
   function Url(params) {
@@ -102,6 +102,11 @@ export function stringifyUrl(Private) {
 
           return `<img src="${url}" alt="${imageLabel}">`;
         default:
+          const inWhitelist = whitelistUrlSchemes.some(scheme => url.indexOf(scheme) === 0);
+          if (!inWhitelist) {
+            return url;
+          }
+
           let linkLabel;
 
           if (hit && hit.highlight && hit.highlight[field.name]) {