fix($parse): disallow access to window and dom in expressions

2 files changed, 32 insertions, 0 deletions

diff --git a/docs/content/error/parse/isecdom.ngdoc b/docs/content/error/parse/isecdom.ngdoc
new file mode 100644
index 00000000..666bf36c
--- /dev/null
+++ b/docs/content/error/parse/isecdom.ngdoc
@@ -0,0 +1,16 @@
+@ngdoc error
+@name $parse:isecdom
+@fullName Referencing a DOM node in Expression
+@description
+
+Occurs when an expression attempts to access a DOM node.
+
+AngularJS restricts access to DOM nodes from within expressions since it's a known way to
+execute arbitrary Javascript code.
+
+This check is only performed on object index and function calls in Angular expressions.  These are
+places that are harder for the developer to guard.  Dotted member access (such as a.b.c) does not
+perform this check - it's up to the developer to not expose such sensitive and powerful objects
+directly on the scope chain.
+
+To resolve this error, avoid access to DOM nodes.
diff --git a/docs/content/error/parse/isecwindow.ngdoc b/docs/content/error/parse/isecwindow.ngdoc
new file mode 100644
index 00000000..81adeea0
--- /dev/null
+++ b/docs/content/error/parse/isecwindow.ngdoc
@@ -0,0 +1,16 @@
+@ngdoc error
+@name $parse:isecwindow
+@fullName Referencing Window object in Expression
+@description
+
+Occurs when an expression attempts to access a Window object.
+
+AngularJS restricts access to the Window object from within expressions since it's a known way to
+execute arbitrary Javascript code.
+
+This check is only performed on object index and function calls in Angular expressions.  These are
+places that are harder for the developer to guard.  Dotted member access (such as a.b.c) does not
+perform this check - it's up to the developer to not expose such sensitive and powerful objects
+directly on the scope chain.
+
+To resolve this error, avoid Window access.