Key Corrections Based on Working Example
1. ALL messages go through okxInternalJSBridge.postMessage()
2. XSS payload goes in the 'id' field, not 'data'
3. Set up response channel stubs to detect XSS execution
4. Use proper ID injection variants for different sink styles