refact($parse): remove expression sandbox

petebacondarwin · petebacondarwin · commit 854da35dfa0f · 2016-09-06T14:24:48.000+01:00
diff --git a/docs/content/guide/expression.ngdoc b/docs/content/guide/expression.ngdoc
@@ -113,11 +113,11 @@ You can try evaluating different expressions here:
 Angular does not use JavaScript's `eval()` to evaluate expressions. Instead Angular's
 {@link ng.$parse $parse} service processes these expressions.
 
-Angular expressions do not have access to global variables like `window`, `document` or `location`.
+Angular expressions do not have direct access to global variables like `window`, `document` or `location`.
 This restriction is intentional. It prevents accidental access to the global state – a common source of subtle bugs.
 
-Instead use services like `$window` and `$location` in functions called from expressions. Such services
-provide mockable access to globals.
+Instead use services like `$window` and `$location` in functions on controllers, which are then called from expressions.
+Such services provide mockable access to globals.
 
 It is possible to access the context object using the identifier `this` and the locals object using the
 identifier `$locals`.
diff --git a/docs/content/guide/security.ngdoc b/docs/content/guide/security.ngdoc
@@ -71,13 +71,13 @@ Control of the Angular templates makes applications vulnerable even if there was
 
 * Do not mix client and server templates
 * Do not use user input to generate templates dynamically
-* Do not run user input through `$scope.$eval` (or any of the other expression parsing functions listed above).
+* Do not run user input through `$scope.$eval` (or any of the other expression parsing functions listed above)
 * Consider using {@link ng.directive:ngCsp CSP} (but don't rely only on CSP)
 
-**You can use server-side templating to dynamically generate CSS, URLs, etc, but not for generating templates that are
+**You can use suitably sanitized server-side templating to dynamically generate CSS, URLs, etc, but not for generating templates that are
 bootstrapped/compiled by Angular.**
 
-**If you have to keep on using the user-provided content in a template then the safest option is to ensure that it is only
+**If you must continue to allow user-provided content in an Angular template then the safest option is to ensure that it is only
 present in the part of the template that is made inert via the {@link ngNonBindable} directive.**
 
 
diff --git a/src/ng/parse.js b/src/ng/parse.js
@@ -34,7 +34,7 @@ var objectValueOf = OBJECT_CTOR_PROTO.valueOf;
 
 // Sandboxing Angular Expressions
 // ------------------------------
-// Angular expressions are no longer sandboxed. So it is now possible to access arbitary JS code by
+// Angular expressions are no longer sandboxed. So it is now even easier to access arbitary JS code by
 // various means such as obtaining a reference to native JS functions like the Function constructor.
 //
 // As an example, consider the following Angular expression:
