Exploiting an open message reciever and an Angular CSTI to get cross site scripting on a seemingly innocuous site.

Uploading a malicious HTML file to the web application to get XSS and decode a sensitive cookie.