IE9 UXSS: document.execCommand InsertImage Injects into Cross-Origin IFrame

Focusing a cross-origin IFrame and then calling document.execCommand from the parent page allowed injecting arbitrary HTML attributes into the IFrame’s content via the InsertImage command. The injected onerror handler executed in the IFrame’s document context, reading its cookies.

xIFrame.focus();
document.execCommand("SelectAll");
document.execCommand(
    "InsertImage",
    null,
    '1" onerror="alert(document.cookie)'
);

The execCommand dispatcher in IE9 did not enforce origin checks when the current selection spanned or was within a cross-origin frame. The InsertImage command created an <img> tag in the IFrame’s document with the attacker-controlled src attribute, and the malformed value injected an onerror event handler that ran in the IFrame’s security context.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Crash: Getting the Function Object from a Cached Document Method] :: [IE9 RCE: Intercepting Internal Dialogs via Object.defineProperty] >