Version: (using KDE KDE 3.5.6) Installed from: Compiled From Sources <textarea></button></textarea></br><bdo dir=""> <pre><frameset> <a> Online demo: http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html
#11 0xb7c85272 in khtml::RenderBlock::createLineBoxes (this=0x821ab08, obj=0x821ac10) at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:644 #12 0xb7c862e1 in khtml::RenderBlock::constructLine (this=0x821ab08, end=@0xbfc4e038)
Slightly simpler TC: <textarea>text</textarea><br><span style="unicode-bidi:embed"> <pre><frameset> BTW, should continuations for inlines be inlines?
Created attachment 21286 [details] htmltokenizer.cpp.patch.diff This is an interesting one: konqueror doesn't seem to like white chars before "pre" start tag when there are no non-white chars before it. In the attachment is the patch which should fix this. It's a first try and needs testing with other possible tags (not only "span" and "bdo") according to their text formatting behavior (whether they interpret white chars or not). Give it a try )
I don't think working around this in the tokenizer is the right solution. the parser is getting confused because of the <frameset>, and the body replacement by a frameset is causing the error.
Actually, I don't think you're right. It can have nothing to do with a <frameset>. Here is an example: <br> <bdo dir=""> <pre> < When unpatched Konqueror will crash which means a <frameset> doesn't matter at all (and it is the same test case as yours). I don't see the patch as a workaround 'cause it's the default behavior anyway as far as I know (those white chars don't get interpreted). And take a look at the code: e.g. when <pre> is found a LFDiscard is applied. But if you have a better solution we are open for discussion, of course :-)
konqueror 4 (trunk) doesn't crash with the testcase.
no crash in 3.5.9 either. closing.