fix($compile): disallow interpolations for DOM event handlers

BREAKING CHANGE: Interpolations inside DOM event handlers are
    disallowed.  DOM event handlers execute arbitrary Javascript code.
    Using an interpolation for such handlers means that the interpolated
    value is a JS string that is evaluated.  Storing or generating such
    strings is error prone and likely leads to an XSS if you're not
    super careful.  On the other hand, ng-click and such event handlers
    evaluate Angular expressions that are a lot safer (e.g. No direct
    access to global objects - only scope), cleaner and harder to
    exploit.

    To migrate the code follow the example below:

    Before:

        JS:   scope.foo = 'alert(1)';
        HTML: <div onclick="{{foo}}">

    After:

        JS:   scope.foo = function() { alert(1); }
        HTML: <div ng-click="foo()">

0 files changed, 0 insertions, 0 deletions