[mikelarned]

It looks like this is only possible when we are mixing server side / client side templates? Enter an expression into input, a user hard refreshes and the expression is rendered into our angular template. Are there any good approaches to always scrubbing expression input on the server side (or just avoid the client side / server side template mix?)

[ryhanson]

That is the most common occurrence of this issue. It can also happen with directives that use transclude or if the app is explicitly call Angular's $interpolate function on a user's input.

You should definitely avoid mixing server side and client side templates, but if that's too much work, scrubbing would work. You would need to strip the expression stand and end symbols. Default symbols are '{{' and '}}', but some apps use different symbols to avoid collisions with other template engines that use the double curly brace.