Which it is, as far as I can see, though it tried to make it slightly safer ... until version 1.6, when it gave up on pretending it's at all safe. The linked slide share from the github issue talks about this a bit. See http://www.slideshare.net/x00mario/an-abusive-relationship-w... slides 16-31 which talk about the sandbox angular tried to apply to the environment it did the eval() in, but in the end it's grabbing text from the DOM and doing an eval().
Note that in a browser extension doing text from the DOM (controlled by the web page) and doing an eval (with the privileges of the extension!) is obviously really really bad.
[Disclaimer: I work for Mozilla and I'm not an expert on Angular.]
Which it is, as far as I can see, though it tried to make it slightly safer ... until version 1.6, when it gave up on pretending it's at all safe. The linked slide share from the github issue talks about this a bit. See http://www.slideshare.net/x00mario/an-abusive-relationship-w... slides 16-31 which talk about the sandbox angular tried to apply to the environment it did the eval() in, but in the end it's grabbing text from the DOM and doing an eval().
Note that in a browser extension doing text from the DOM (controlled by the web page) and doing an eval (with the privileges of the extension!) is obviously really really bad.
[Disclaimer: I work for Mozilla and I'm not an expert on Angular.]