I've compiled some examples of real-world functionality I've encountered that can be used to bypass Internet Explorer's (as well as "Spartan"/"Edge"'s) anti-Reflective Cross Site Scripting filter.
Play around with the deliberately vulnerable pages, and see for yourself how you can chain together a site's own functionality to reproduce the bypass.
Append .html to any .php extension to see the source of the .php file.
Example:
With the MS14-080 update, using two of the following pages has become slightly more difficult, but still possible. Those two page are marked with an * character.
The main playground equipment:
document.getElementById('something').doStuff();).