Reproduction of AngularJS <textarea> XSS vulnerability

Instructions

1. Populate the textarea with content that could be malicious when evaluated by AngularJS. For example, copy and paste the following text:
   {{ $eval.constructor('alert("Hacked!")')() }}


2. Navigate to a different page. Either type a URL in the browser address bar or click the following link: Other page


3. Come back to this page by clicking the browser's "Back" button.

NOTE 1: This vulnerability only affects Internet Explorer.

NOTE 2: This vulnerability is fixed in XLTS for AngularJS v1.9.0.

NOTE 3: The source code for this Proof-Of-Concept can be found on GitHub.