[Webkit-unassigned] [Bug 66241] New: Crash when inserting text with a trailing newline into a textarea via JS

Mon Aug 15 11:16:19 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66241

           Summary: Crash when inserting text with a trailing newline into
                    a textarea via JS
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: demerzel at gmail.com

Steps to reproduce:

1. Open an HTML file that contains the following (also attached as foo.html)
<html>
<body onload="document.getElementById('comment_value').innerHTML='a\n';">
<style>
#container + * { clear: both; }
</style>
<p id="container">
<textarea id="comment_value"></textarea>
</p>
</body>
</html>

2. Click into the textarea, move cursor to the end of the 'a' in it.

3. Hit the Return key.

What is the expected result?

Cursor should go to the next line, inserting a new line into the text area.

What happens instead?

The page reloads, and I see a new crash report in Console.app. Attached.

Notes:
- Removing the "#container + *" CSS rule prevents the crash.
- I saw this crash first in the latest Chrome, and reported it on their bugtracker, here: 
   http://code.google.com/p/chromium/issues/detail?id=92757

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.