diff options
| author | Misko Hevery | 2013-08-01 15:46:36 -0700 |
|---|---|---|
| committer | Igor Minar | 2013-08-08 14:45:04 -0700 |
| commit | fa3985764c1636fb408f18516dc47933ca0def44 (patch) | |
| tree | 71d64aa3611834c837d90aa5b9eac203eba6b4b7 | |
| parent | 78a445fa375400a2ced5383b485f26fc0ae363d2 (diff) | |
| download | angular.js-fa3985764c1636fb408f18516dc47933ca0def44.tar.bz2 | |
docs(compile/nodomevents): description for compile/nodomevents error
Closes #3459
| -rw-r--r-- | docs/content/error/compile/nodomevents.ngdoc | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/docs/content/error/compile/nodomevents.ngdoc b/docs/content/error/compile/nodomevents.ngdoc index 421e896f..67bd81ee 100644 --- a/docs/content/error/compile/nodomevents.ngdoc +++ b/docs/content/error/compile/nodomevents.ngdoc @@ -2,3 +2,19 @@ @name $compile:nodomevents @fullName Interpolated Event Attributes @description + +This error occurs when one tries to create a binding for event handler attributes like `onclick`, `onload`, `onsubmit`, etc. + +There is no practical value in binding to these attributes and doing so only exposes your application to security vulnerabilities like XSS. +For these reasons binding to event handler attributes (all attributes that start with `on` and `formaction` attribute) is not supported. + + +An example code that would allow XSS vulnerability by evaluating user input in the window context could look like this: +``` +<input ng-mode="username"> +<div onclick="{{username}}">click me</div> +``` + +Since the `onclick` evaluates the value as JavaScript code in the window context, setting the `username` model to a value like `javascript:alert('PWND')` would result in script injection when the `div` is clicked. + + |