Bug 640652 - When unsetting an attribute on a XUL element, don't let the script blocker to be removed when the document nested update count is 0, since that can trigger XBL bindings, which may run scripts to do things which would lead into crashes; r=sicking a=dveditz
Bug 640652 - When unsetting an attribute on a XUL element, don't let the script blocker to be removed when the document nested update count is 0, since that can trigger XBL bindings, which may run scripts to do things which would lead into crashes; r=sicking a=dveditz
--- a/content/xul/content/src/nsXULElement.cpp
+++ b/content/xul/content/src/nsXULElement.cpp
@@ -1336,17 +1336,18 @@ nsXULElement::UnsetAttr(PRInt32 aNameSpa
FindPrototypeAttribute(aNameSpaceID, aName);
if (protoattr) {
// We've got an attribute on the prototype, so we need to
// fully fault and remove the local copy.
rv = MakeHeavyweight();
NS_ENSURE_SUCCESS(rv, rv);
}
- nsAutoRemovableScriptBlocker scriptBlocker;
+ nsIDocument* doc = GetCurrentDoc();
+ mozAutoDocUpdate updateBatch(doc, UPDATE_CONTENT_MODEL, aNotify);
PRBool isId = PR_FALSE;
if (aName == nsGkAtoms::id && aNameSpaceID == kNameSpaceID_None) {
// Have to do this before clearing flag. See RemoveFromIdTable
RemoveFromIdTable();
isId = PR_TRUE;
}
@@ -1356,19 +1357,16 @@ nsXULElement::UnsetAttr(PRInt32 aNameSpa
"have a normal one");
return NS_OK;
}
nsAutoString oldValue;
GetAttr(aNameSpaceID, aName, oldValue);
- nsIDocument* doc = GetCurrentDoc();
- mozAutoDocUpdate updateBatch(doc, UPDATE_CONTENT_MODEL, aNotify);
-
// When notifying, make sure to keep track of states whose value
// depends solely on the value of an attribute.
nsEventStates stateMask;
if (aNotify) {
stateMask = IntrinsicState();
nsNodeUtils::AttributeWillChange(this, aNameSpaceID, aName,
nsIDOMMutationEvent::REMOVAL);