Given a template:

    some component template containing script tag
    <script>
      console.log('dfsdf');
      alert("hello");
   </script>

associated with a component:

@Component({
  selector: 'test-component'
})
@View({
  template: 'test-component.html'
})
...

when the component is instantiated the script executes.

The root cause of this issue appears to be that we use document.importNode(node, true) when importing contents from the template into the main document. During this import the script element is revived and once appended to the document it's executed.

In Angular component templates this behavior is undesirable since the script is very limited in what it can do (it has no access to the context, di, etc) and only exposes large security vulnerability surface.

Tested with alpha-28.