An XSS vulnerability in Google Code-in exploited improper escaping of user input within JSON data embedded in script tags, where the </script> sequence in user comments terminated the script element prematurely, allowing payload execution. The vulnerability was further exploited via AngularJS template injection ({{1-1}}) to bypass the Content Security Policy.
A researcher chained a stored XSS vulnerability in a mindmap feature with JWT token theft from localStorage and an unauthenticated email-change endpoint to achieve full account takeover. The critical challenge was properly escaping JSON payloads nested within JavaScript code inside an SVG onload handler, which was ultimately solved using eval() to convert single-quoted JSON to double-quoted JSON.