DOM XSS: AngularJS Expression with Angle Brackets and Double Quotes HTML-encoded

Testing /?search=haxhax:

It's a vulnerable version of Angular, the body uses the ng-app attribute, and I have an injection point. I can verify this works with: /?search={{7*7}}:

Unfortunately I can't just pass alert() or print() because it runs inside of a restricted sandbox.

However, I can access function constructors to craft a payload that executes inside the sandbox:

/?search={{$new.constructor('alert()')()}}

Credit: Jarno Timmermans