Created attachment 28238 [details]
Demonstration of the bug, note the HTML in the second textarea shows style has been removed from the outer DIV.

Created attachment 32751 [details]
demonstrates the same bug on WebKit & Firefox

Created attachment 32754 [details]
simplified test case (without designMode="on")

The previous test case had the designMode="on".  When turning this off, Firefox doesn't change the style at all.

It seems that highestAncestorWithTextDecoration called in ApplyStyleCommand::pushDownTextDecorationStyleAroundNode is crossing the editing boundary.

Created attachment 33120 [details]
highestAncestorWithTextDecoration stops at an unsplittable element, and improves other text decorations support

This patch may also resolve https://bugs.webkit.org/show_bug.cgi?id=20215.

Comment on attachment 33120 [details]
highestAncestorWithTextDecoration stops at an unsplittable element, and improves other text decorations support

This makes unrelated, possibly incorrect changes.  Please break this into multiple patches with individual test cases.

See the test case on https://bugs.webkit.org/show_bug.cgi?id=20215, I think you may have broken some of those cases here.

Note: also see http://trac.webkit.org/changeset/8466

Changed the priority because this has potential security vulnerability that part of document that the author does not expect to change may change.

I respectfully disagree.
http://webkit.org/quality/bugpriorities.html

I don't think there is any "security" concern here.  If there was it should be under the Security component anyway.  P1s are generally regressions or crashes, of which this is neither.

Created attachment 33463 [details]
smaller patch with extra test case for unsplittable element

Comment on attachment 33463 [details]
smaller patch with extra test case for unsplittable element

r=me

Landed in http://trac.webkit.org/changeset/46373