Shortly after Windows 8 launched I examined several Windows Store apps that used the WinJS framework — specifically looking at document.execCommand, execUnsafeLocalFunction, setInnerHTMLUnsafe, and similar APIs that bypassed the app’s content security policy. The WinJS security model relied on developers using safe DOM APIs, but these escape hatches were easy to reach from web content in webview controls. The findings were documented across several internal write-ups and passed to the platform team. A proof-of-concept targeting the Google Search app was also included in the review.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.