From fa3985764c1636fb408f18516dc47933ca0def44 Mon Sep 17 00:00:00 2001
From: Misko Hevery
Date: Thu, 1 Aug 2013 15:46:36 -0700
Subject: docs(compile/nodomevents): description for compile/nodomevents error

Closes #3459
---
 docs/content/error/compile/nodomevents.ngdoc | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'docs/content/error')

diff --git a/docs/content/error/compile/nodomevents.ngdoc b/docs/content/error/compile/nodomevents.ngdoc
index 421e896f..67bd81ee 100644
--- a/docs/content/error/compile/nodomevents.ngdoc
+++ b/docs/content/error/compile/nodomevents.ngdoc
@@ -2,3 +2,19 @@
 @name $compile:nodomevents
 @fullName Interpolated Event Attributes
 @description
+
+This error occurs when one tries to create a binding for event handler attributes like `onclick`, `onload`, `onsubmit`, etc.
+
+There is no practical value in binding to these attributes and doing so only exposes your application to security vulnerabilities like XSS.
+For these reasons binding to event handler attributes (all attributes that start with `on` and `formaction` attribute) is not supported.
+
+
+An example code that would allow XSS vulnerability by evaluating user input in the window context could look like this:
+```
+<input ng-mode="username">
+<div onclick="{{username}}">click me</div>
+```
+
+Since the `onclick` evaluates the value as JavaScript code in the window context, setting the `username` model to a value like `javascript:alert('PWND')` would result in script injection when the `div` is clicked.
+
+
-- 
cgit v1.2.3