$translate.instant with angular expression

[fjh352]

Subject of the issue

Describe your issue here. $translate.instant with angular expression, such like: {{constructor.constructor('alert(JSON.stringify(localStorage))')()}} lt will pop alart after run this logic

Your environment

• version of angular-translate 2.18.1
• version of angular 1.8.2
• which browser and its version Chrome Version 104.0.5112.81

Steps to reproduce

Tell us how to reproduce this issue. Please provide a working demo, you can use this template as a base.

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

[knalli]

Yes, the same as having this in your app's template:

<span>{{constructor.constructor('alert(JSON.stringify(localStorage))')()}}</span>

angular-translate relies on the same technique under the hood when interpolating your variables. The translation keys are meant to be string keys and in your control. Both template and translation keys should be under your (and your app's) control.

In security aspects, that is not ideal. But the official long term support of AngularJS has also stopped at the beginning of this year.

If you think there is a reasonable fix for this without breaking everything, you are welcome making a PR.