This one surprised me. The document.execCommand('InsertImage', true) call, when triggered from an iframe on a different origin, ends up inserting content into the parent document rather than the iframe’s own document. I don’t consider it a critical issue by itself, but it demonstrates that execCommand was not properly scoped to the document that owned the selection.
<!-- I_SHOULD_BE_IN_A_DIFFERENT_DOMAIN.html (served from a different origin) -->
<input type="button" value="MouseOver Me" onmouseover="document.execCommand('InsertImage', true);"><!-- index.html (the attacker's page) -->
<iframe src="http://www.iframe.com/crash/09/_PoCs/InsertImage/I_SHOULD_BE_IN_A_DIFFERENT_DOMAIN.html"
width="90%" height="70%"></iframe>Mousing over the button in the cross-origin iframe opens the InsertImage dialog. Whatever image URL is typed ends up inserted into the parent document, which belongs to the attacker’s origin — not the iframe’s. The deeper issue is that execCommand could still reach across document boundaries in ways that bypassed the same-origin policy.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.