angular/angular.js

View on GitHub
docs/content/error/$compile/nodomevents.ngdoc

Summary

Maintainability
Test Coverage
@ngdoc error
@name $compile:nodomevents
@fullName Event Attribute/Property Binding
@description

This error occurs when one tries to create a binding for event handler attributes or properties like `onclick`, `onload`, `onsubmit`, etc.

There is no practical value in binding to these attributes/properties and doing so only exposes your application to security vulnerabilities like XSS.
For these reasons binding to event handler attributes and properties (`formaction` and all starting with `on`) is not supported.


An example code that would allow XSS vulnerability by evaluating user input in the window context could look like this:
```
<input ng-model="username">
<div onclick="{{username}}">click me</div>
```

Since the `onclick` evaluates the value as JavaScript code in the window context, setting the `username` model to a value like `javascript:alert('PWND')` would result in script injection when the `div` is clicked.

Please use the `ng-*` or `ng-on-*` versions instead (such as `ng-click` or `ng-on-click` rather than `onclick`).