IE was supposed to mask the real file system path when a user selected a file via <input type="file">, substituting C:\fakepath\filename. I found that selecting the text in the input element and then reading the selection range gave back the real path before the masking was applied.

document.all.inputFile.select();
var rngFile = document.selection.createRange();
alert(rngFile.text); // Real path, e.g. C:\Users\victim\Documents\secret.doc

The value property was correctly masked, but createRange().text on the selected content bypassed that protection and returned the unmasked string. This was a pure information-disclosure issue — no code execution, but the full local path of a selected file is something a web page should never be able to read.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.