Evaluates the compiled src and returns the result of the expression. Property look-ups or assignments are executed on a given scope.
evaluate.assign(scope, value): *
Tries to assign the given value to the result of the compiled expression on the given scope and returns the result of the assignment.
In the browser
There is no dist build because it's not 2005 anymore. Use a module bundler like webpack or browserify. They're both capable of CommonJS and AMD.
Security
The code of angular was not secured from reading prototype, and since version 1.0.1 of angular-expressions, the module disallows reading properties that are not ownProperties. See this blog post for more details about the sandbox that got removed completely in angular 1.6.
Comment from angular.js/src/ng/parse.js:
Angular expressions are generally considered safe because these expressions only have direct
access to $scope and locals. However, one can obtain the ability to execute arbitrary JS code by
obtaining a reference to native JS functions such as the Function constructor.
As an example, consider the following Angular expression:
{}.toString.constructor(alert("evil JS code"))
We want to prevent this type of access. For the sake of performance, during the lexing phase we
disallow any "dotted" access to any member named "constructor".
For reflective calls (a[b]) we check that the value of the lookup is not the Function constructor
while evaluating the expression, which is a stronger but more expensive test. Since reflective
calls are expensive anyway, this is not such a big deal compared to static dereferencing.
This sandboxing technique is not perfect and doesn't aim to be. The goal is to prevent exploits
against the expression language, but not to prevent exploits that were enabled by exposing
sensitive JavaScript or browser apis on Scope. Exposing such objects on a Scope is never a good
practice and therefore we are not even trying to protect against interaction with an object
explicitly exposed in this way.
A developer could foil the name check by aliasing the Function constructor under a different
name on the scope.
In general, it is not possible to access a Window object from an angular expression unless a
window or some DOM object that has a reference to window is published onto a Scope.
Authorship
Kudos go entirely to the great angular.js team, it's their implementation!
Contributing
Suggestions and bug-fixes are always appreciated. Don't hesitate to create an issue or pull-request. All contributed code should pass
the tests in node.js by running npm test
the tests in all major browsers by running npm run test-browser and then visiting http://localhost:8080/bundle