kylefang/angular.js
1
0
Fork 0
mirror of https://github.com/zhigang1992/angular.js.git synced 2026-04-23 19:40:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs(compile/nodomevents): description for compile/nodomevents error

Browse Source 
Closes #3459
This commit is contained in:
Misko Hevery
2013-08-01 15:46:36 -07:00
committed by Igor Minar
parent 78a445fa37
commit fa3985764c
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/content/error/compile/nodomevents.ngdoc
View File

@@ -2,3 +2,19 @@
@name $compile:nodomevents
@fullName Interpolated Event Attributes
@description
This error occurs when one tries to create a binding for event handler attributes like `onclick`, `onload`, `onsubmit`, etc.
There is no practical value in binding to these attributes and doing so only exposes your application to security vulnerabilities like XSS.
For these reasons binding to event handler attributes (all attributes that start with `on` and `formaction` attribute) is not supported.
An example code that would allow XSS vulnerability by evaluating user input in the window context could look like this:
```
<input ng-mode="username">
<div onclick="{{username}}">click me</div>
```
Since the `onclick` evaluates the value as JavaScript code in the window context, setting the `username` model to a value like `javascript:alert('PWND')` would result in script injection when the `div` is clicked.