Bug 1549925 - Mark all methods of nsIDocumentStateListener as can_run_script r=m_kato
authorMasayuki Nakano <masayuki@d-toybox.com>
Thu, 09 May 2019 07:37:51 +0000
changeset 531999 182cddeb1d5c3da2ad98d614dca215acc362eed5
parent 531998 395d80953041add27448419fd58a0682b2795455
child 532000 5fe53a1a47d12a3a5677807399fcbb4ae768ca1b
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersm_kato
bugs1549925
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1549925 - Mark all methods of nsIDocumentStateListener as can_run_script r=m_kato `nsIDocumentStateListener` is a scriptable interface and each method may run any script. So, we should mark them as `can_run_script`. Then, we need to mark a lot of editing methods because we need to mark `EditorBase::EndTransactionInternal()` and `EditorBase::DoTransactionInternal()` as `MOZ_CAN_RUN_SCRIPT`. Differential Revision: https://phabricator.services.mozilla.com/D30360
docshell/base/nsDocShellEditorData.h
dom/base/nsFrameLoader.h
dom/html/nsTextEditorState.cpp
dom/html/nsTextEditorState.h
editor/composer/nsEditingSession.cpp
editor/libeditor/CSSEditUtils.cpp
editor/libeditor/CSSEditUtils.h
editor/libeditor/EditorBase.cpp
editor/libeditor/EditorBase.h
editor/libeditor/EditorUtils.h
editor/libeditor/HTMLAbsPositionEditor.cpp
editor/libeditor/HTMLAnonymousNodeEditor.cpp
editor/libeditor/HTMLEditRules.cpp
editor/libeditor/HTMLEditor.cpp
editor/libeditor/HTMLEditor.h
editor/libeditor/HTMLEditorDocumentCommands.cpp
editor/libeditor/HTMLEditorObjectResizer.cpp
editor/nsIDocumentStateListener.idl
editor/nsIEditor.idl
editor/nsIHTMLAbsPosEditor.idl
editor/nsIHTMLEditor.idl
editor/nsIHTMLInlineTableEditor.idl
editor/nsIHTMLObjectResizer.idl
editor/spellchecker/TextServicesDocument.cpp
--- a/docshell/base/nsDocShellEditorData.h
+++ b/docshell/base/nsDocShellEditorData.h
@@ -17,22 +17,23 @@
 class nsIDocShell;
 class nsEditingSession;
 
 class nsDocShellEditorData {
  public:
   explicit nsDocShellEditorData(nsIDocShell* aOwningDocShell);
   ~nsDocShellEditorData();
 
-  nsresult MakeEditable(bool aWaitForUriLoad);
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY nsresult MakeEditable(bool aWaitForUriLoad);
   bool GetEditable();
   nsEditingSession* GetEditingSession();
   mozilla::HTMLEditor* GetHTMLEditor() const { return mHTMLEditor; }
-  nsresult SetHTMLEditor(mozilla::HTMLEditor* aHTMLEditor);
-  void TearDownEditor();
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY nsresult
+  SetHTMLEditor(mozilla::HTMLEditor* aHTMLEditor);
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY void TearDownEditor();
   nsresult DetachFromWindow();
   nsresult ReattachToWindow(nsIDocShell* aDocShell);
   bool WaitingForLoad() const { return mMakeEditable; }
 
  protected:
   void EnsureEditingSession();
 
   // The doc shell that owns us. Weak ref, since it always outlives us.
--- a/dom/base/nsFrameLoader.h
+++ b/dom/base/nsFrameLoader.h
@@ -239,18 +239,21 @@ class nsFrameLoader final : public nsStu
       JSContext* aCx, const nsAString& aMessage,
       mozilla::dom::ipc::StructuredCloneData& aData,
       JS::Handle<JSObject*> aCpows, nsIPrincipal* aPrincipal) override;
 
   /**
    * Called from the layout frame associated with this frame loader;
    * this notifies us to hook up with the widget and view.
    */
-  bool Show(int32_t marginWidth, int32_t marginHeight, int32_t scrollbarPrefX,
-            int32_t scrollbarPrefY, nsSubDocumentFrame* frame);
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY bool Show(int32_t marginWidth,
+                                        int32_t marginHeight,
+                                        int32_t scrollbarPrefX,
+                                        int32_t scrollbarPrefY,
+                                        nsSubDocumentFrame* frame);
 
   void MaybeShowFrame();
 
   /**
    * Called when the margin properties of the containing frame are changed.
    */
   void MarginsChanged(uint32_t aMarginWidth, uint32_t aMarginHeight);
 
--- a/dom/html/nsTextEditorState.cpp
+++ b/dom/html/nsTextEditorState.cpp
@@ -1229,21 +1229,21 @@ nsresult nsTextEditorState::BindToFrame(
 
     nsContentUtils::AddScriptRunner(
         new PrepareEditorEvent(*this, content, currentValue));
   }
 
   return NS_OK;
 }
 
-struct PreDestroyer {
+struct MOZ_STACK_CLASS PreDestroyer {
   void Init(TextEditor* aTextEditor) { mTextEditor = aTextEditor; }
-  ~PreDestroyer() {
+  MOZ_CAN_RUN_SCRIPT ~PreDestroyer() {
     if (mTextEditor) {
-      mTextEditor->PreDestroy(true);
+      MOZ_KnownLive(mTextEditor)->PreDestroy(true);
     }
   }
   void Swap(RefPtr<TextEditor>& aTextEditor) {
     return mTextEditor.swap(aTextEditor);
   }
 
  private:
   RefPtr<TextEditor> mTextEditor;
@@ -1912,17 +1912,18 @@ HTMLInputElement* nsTextEditorState::Get
   }
 
   return nullptr;
 }
 
 void nsTextEditorState::DestroyEditor() {
   // notify the editor that we are going away
   if (mEditorInitialized) {
-    mTextEditor->PreDestroy(true);
+    RefPtr<TextEditor> textEditor = mTextEditor;
+    textEditor->PreDestroy(true);
     mEditorInitialized = false;
   }
 }
 
 void nsTextEditorState::UnbindFromFrame(nsTextControlFrame* aFrame) {
   NS_ENSURE_TRUE_VOID(mBoundFrame);
 
   // If it was, however, it should be unbounded from the same frame.
--- a/dom/html/nsTextEditorState.h
+++ b/dom/html/nsTextEditorState.h
@@ -137,20 +137,20 @@ class HTMLInputElement;
 class RestoreSelectionState;
 
 class nsTextEditorState : public mozilla::SupportsWeakPtr<nsTextEditorState> {
  public:
   MOZ_DECLARE_WEAKREFERENCE_TYPENAME(nsTextEditorState)
   explicit nsTextEditorState(nsITextControlElement* aOwningElement);
   static nsTextEditorState* Construct(nsITextControlElement* aOwningElement,
                                       nsTextEditorState** aReusedState);
-  ~nsTextEditorState();
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY ~nsTextEditorState();
 
   void Traverse(nsCycleCollectionTraversalCallback& cb);
-  void Unlink();
+  MOZ_CAN_RUN_SCRIPT_BOUNDARY void Unlink();
 
   void PrepareForReuse() {
     Unlink();
     mValue.reset();
     mValueBeingSet.Truncate();
     mTextCtrlElement = nullptr;
   }
 
@@ -372,18 +372,18 @@ class nsTextEditorState : public mozilla
 
   // not copy constructible
   nsTextEditorState(const nsTextEditorState&);
   // not assignable
   void operator=(const nsTextEditorState&);
 
   void ValueWasChanged(bool aNotify);
 
-  void DestroyEditor();
-  void Clear();
+  MOZ_CAN_RUN_SCRIPT void DestroyEditor();
+  MOZ_CAN_RUN_SCRIPT void Clear();
 
   nsresult InitializeRootNode();
 
   void FinishedRestoringSelection();
 
   mozilla::dom::HTMLInputElement* GetParentNumberControl(nsFrame* aFrame) const;
 
   bool EditorHasComposition();
--- a/editor/composer/nsEditingSession.cpp
+++ b/editor/composer/nsEditingSession.cpp
@@ -351,17 +351,18 @@ nsEditingSession::SetupEditorOnWindow(mo
 
   // now init the state maintainer
   // This allows notification of error state
   //  even if we don't create an editor
   rv = mComposerCommandsUpdater->Init(window);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (mEditorStatus != eEditorCreationInProgress) {
-    mComposerCommandsUpdater->NotifyDocumentCreated();
+    RefPtr<ComposerCommandsUpdater> updater = mComposerCommandsUpdater;
+    updater->NotifyDocumentCreated();
     return NS_ERROR_FAILURE;
   }
 
   // Create editor and do other things
   //  only if we haven't found some error above,
   nsCOMPtr<nsIDocShell> docShell = window->GetDocShell();
   NS_ENSURE_TRUE(docShell, NS_ERROR_FAILURE);
   RefPtr<PresShell> presShell = docShell->GetPresShell();
--- a/editor/libeditor/CSSEditUtils.cpp
+++ b/editor/libeditor/CSSEditUtils.cpp
@@ -807,18 +807,19 @@ int32_t CSSEditUtils::SetCSSEquivalentTo
   nsTArray<nsString> cssValueArray;
   GenerateCSSDeclarationsFromHTMLStyle(aElement, aHTMLProperty, aAttribute,
                                        aValue, cssPropertyArray, cssValueArray,
                                        false);
 
   // set the individual CSS inline styles
   size_t count = cssPropertyArray.Length();
   for (size_t index = 0; index < count; index++) {
-    nsresult rv = SetCSSProperty(*aElement, *cssPropertyArray[index],
-                                 cssValueArray[index], aSuppressTransaction);
+    nsresult rv =
+        SetCSSProperty(*aElement, MOZ_KnownLive(*cssPropertyArray[index]),
+                       cssValueArray[index], aSuppressTransaction);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return 0;
     }
   }
   return count;
 }
 
 // Remove from aNode the CSS inline style equivalent to
--- a/editor/libeditor/CSSEditUtils.h
+++ b/editor/libeditor/CSSEditUtils.h
@@ -91,24 +91,27 @@ class CSSEditUtils final {
    *
    * @param aElement       [IN] A DOM element.
    * @param aProperty      [IN] An atom containing the CSS property to set.
    * @param aValue         [IN] A string containing the value of the CSS
    *                            property.
    * @param aSuppressTransaction [IN] A boolean indicating, when true,
    *                                  that no transaction should be recorded.
    */
-  nsresult SetCSSProperty(dom::Element& aElement, nsAtom& aProperty,
-                          const nsAString& aValue, bool aSuppressTxn = false);
-  nsresult SetCSSPropertyPixels(dom::Element& aElement, nsAtom& aProperty,
-                                int32_t aIntValue);
-  MOZ_CAN_RUN_SCRIPT
-  nsresult RemoveCSSProperty(dom::Element& aElement, nsAtom& aProperty,
-                             const nsAString& aPropertyValue,
-                             bool aSuppressTxn = false);
+  MOZ_CAN_RUN_SCRIPT nsresult SetCSSProperty(dom::Element& aElement,
+                                             nsAtom& aProperty,
+                                             const nsAString& aValue,
+                                             bool aSuppressTxn = false);
+  MOZ_CAN_RUN_SCRIPT nsresult SetCSSPropertyPixels(dom::Element& aElement,
+                                                   nsAtom& aProperty,
+                                                   int32_t aIntValue);
+  MOZ_CAN_RUN_SCRIPT nsresult RemoveCSSProperty(dom::Element& aElement,
+                                                nsAtom& aProperty,
+                                                const nsAString& aPropertyValue,
+                                                bool aSuppressTxn = false);
 
   /**
    * Gets the specified/computed style value of a CSS property for a given
    * node (or its element ancestor if it is not an element).
    *
    * @param aNode          [IN] A DOM node.
    * @param aProperty      [IN] An atom containing the CSS property to get.
    * @param aPropertyValue [OUT] The retrieved value of the property.
@@ -239,20 +242,19 @@ class CSSEditUtils final {
    * @param aAttribute     [IN] An atom to an attribute name or nullptr
    *                            if irrelevant.
    * @param aValue         [IN] The attribute value.
    * @param aSuppressTransaction [IN] A boolean indicating, when true,
    *                                  that no transaction should be recorded.
    *
    * @return               The number of CSS properties set by the call.
    */
-  int32_t SetCSSEquivalentToHTMLStyle(dom::Element* aElement, nsAtom* aProperty,
-                                      nsAtom* aAttribute,
-                                      const nsAString* aValue,
-                                      bool aSuppressTransaction);
+  MOZ_CAN_RUN_SCRIPT int32_t SetCSSEquivalentToHTMLStyle(
+      dom::Element* aElement, nsAtom* aProperty, nsAtom* aAttribute,
+      const nsAString* aValue, bool aSuppressTransaction);
 
   /**
    * Removes from the node the CSS inline styles equivalent to the HTML style.
    *
    * @param aElement       [IN] A DOM Element (must not be null).
    * @param aHTMLProperty  [IN] An atom containing an HTML property.
    * @param aAttribute     [IN] An atom to an attribute name or nullptr if
    *                            irrelevant.
--- a/editor/libeditor/EditorBase.cpp
+++ b/editor/libeditor/EditorBase.cpp
@@ -697,17 +697,19 @@ EditorBase::DoTransaction(nsITransaction
 
 nsresult EditorBase::DoTransactionInternal(nsITransaction* aTxn) {
   if (mPlaceholderBatch && !mPlaceholderTransaction) {
     mPlaceholderTransaction = PlaceholderTransaction::Create(
         *this, mPlaceholderName, std::move(mSelState));
     MOZ_ASSERT(mSelState.isNothing());
 
     // We will recurse, but will not hit this case in the nested call
-    DoTransactionInternal(mPlaceholderTransaction);
+    RefPtr<PlaceholderTransaction> placeholderTransaction =
+        mPlaceholderTransaction;
+    DoTransactionInternal(placeholderTransaction);
 
     if (mTransactionManager) {
       nsCOMPtr<nsITransaction> topTransaction =
           mTransactionManager->PeekUndoStack();
       nsCOMPtr<nsIAbsorbingTransaction> topAbsorbingTransaction =
           do_QueryInterface(topTransaction);
       if (topAbsorbingTransaction) {
         RefPtr<PlaceholderTransaction> topPlaceholderTransaction =
@@ -3873,18 +3875,18 @@ void EditorBase::EndUpdateViewBatch() {
   }
 
   // We may need to show resizing handles or update existing ones after
   // all transactions are done. This way of doing is preferred to DOM
   // mutation events listeners because all the changes the user can apply
   // to a document may result in multiple events, some of them quite hard
   // to listen too (in particular when an ancestor of the selection is
   // changed but the selection itself is not changed).
-  DebugOnly<nsresult> rv = htmlEditor->RefereshEditingUI();
-  NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "RefereshEditingUI() failed");
+  DebugOnly<nsresult> rv = MOZ_KnownLive(htmlEditor)->RefreshEditingUI();
+  NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "RefreshEditingUI() failed");
 }
 
 TextComposition* EditorBase::GetComposition() const { return mComposition; }
 
 EditorRawDOMPoint EditorBase::GetCompositionStartPoint() const {
   return mComposition ? EditorRawDOMPoint(mComposition->GetStartRef())
                       : EditorRawDOMPoint();
 }
--- a/editor/libeditor/EditorBase.h
+++ b/editor/libeditor/EditorBase.h
@@ -175,26 +175,26 @@ class EditorBase : public nsIEditor,
   virtual nsresult Init(Document& doc, Element* aRoot,
                         nsISelectionController* aSelCon, uint32_t aFlags,
                         const nsAString& aInitialValue);
 
   /**
    * PostCreate should be called after Init, and is the time that the editor
    * tells its documentStateObservers that the document has been created.
    */
-  nsresult PostCreate();
+  MOZ_CAN_RUN_SCRIPT nsresult PostCreate();
 
   /**
    * PreDestroy is called before the editor goes away, and gives the editor a
    * chance to tell its documentStateObservers that the document is going away.
    * @param aDestroyingFrames set to true when the frames being edited
    * are being destroyed (so there is no need to modify any nsISelections,
    * nor is it safe to do so)
    */
-  virtual void PreDestroy(bool aDestroyingFrames);
+  MOZ_CAN_RUN_SCRIPT virtual void PreDestroy(bool aDestroyingFrames);
 
   bool IsInitialized() const { return !!mDocument; }
   bool Destroyed() const { return mDidPreDestroy; }
 
   Document* GetDocument() const { return mDocument; }
 
   PresShell* GetPresShell() const {
     return mDocument ? mDocument->GetPresShell() : nullptr;
@@ -1400,17 +1400,17 @@ class EditorBase : public nsIEditor,
    * @param aRightNode  The node which will be inserted the contents of
    *                    aLeftNode.
    * @return            The point of the first child of the last right node.
    */
   MOZ_CAN_RUN_SCRIPT
   EditorDOMPoint JoinNodesDeepWithTransaction(nsIContent& aLeftNode,
                                               nsIContent& aRightNode);
 
-  nsresult DoTransactionInternal(nsITransaction* aTxn);
+  MOZ_CAN_RUN_SCRIPT nsresult DoTransactionInternal(nsITransaction* aTxn);
 
   virtual bool IsBlockNode(nsINode* aNode);
 
   /**
    * Set outOffset to the offset of aChild in the parent.
    * Returns the parent of aChild.
    */
   static nsINode* GetNodeLocation(nsINode* aChild, int32_t* aOffset);
@@ -1778,27 +1778,27 @@ class EditorBase : public nsIEditor,
    * manager batches.
    */
   MOZ_CAN_RUN_SCRIPT_BOUNDARY
   void BeginPlaceholderTransaction(nsAtom* aTransactionName);
   MOZ_CAN_RUN_SCRIPT_BOUNDARY
   void EndPlaceholderTransaction();
 
   void BeginUpdateViewBatch();
-  void EndUpdateViewBatch();
+  MOZ_CAN_RUN_SCRIPT void EndUpdateViewBatch();
 
   /**
    * Used by AutoTransactionBatch.  After calling BeginTransactionInternal(),
    * all transactions will be treated as an atomic transaction.  I.e.,
    * two or more transactions are undid once.
    * XXX What's the difference with PlaceholderTransaction? Should we always
    *     use it instead?
    */
   void BeginTransactionInternal();
-  void EndTransactionInternal();
+  MOZ_CAN_RUN_SCRIPT void EndTransactionInternal();
 
  protected:  // Shouldn't be used by friend classes
   /**
    * The default destructor. This should suffice. Should this be pure virtual
    * for someone to derive from the EditorBase later? I don't believe so.
    */
   virtual ~EditorBase();
 
@@ -1855,39 +1855,39 @@ class EditorBase : public nsIEditor,
   void FireInputEvent();
   MOZ_CAN_RUN_SCRIPT
   void FireInputEvent(EditAction aEditAction, const nsAString& aData,
                       dom::DataTransfer* aDataTransfer);
 
   /**
    * Called after a transaction is done successfully.
    */
-  void DoAfterDoTransaction(nsITransaction* aTxn);
+  MOZ_CAN_RUN_SCRIPT void DoAfterDoTransaction(nsITransaction* aTxn);
 
   /**
    * Called after a transaction is undone successfully.
    */
 
-  void DoAfterUndoTransaction();
+  MOZ_CAN_RUN_SCRIPT void DoAfterUndoTransaction();
 
   /**
    * Called after a transaction is redone successfully.
    */
-  void DoAfterRedoTransaction();
+  MOZ_CAN_RUN_SCRIPT void DoAfterRedoTransaction();
 
   /**
    * Tell the doc state listeners that the doc state has changed.
    */
   enum TDocumentListenerNotification {
     eDocumentCreated,
     eDocumentToBeDestroyed,
     eDocumentStateChanged
   };
-  nsresult NotifyDocumentListeners(
-      TDocumentListenerNotification aNotificationType);
+  MOZ_CAN_RUN_SCRIPT nsresult
+  NotifyDocumentListeners(TDocumentListenerNotification aNotificationType);
 
   /**
    * Make the given selection span the entire document.
    */
   MOZ_CAN_RUN_SCRIPT
   virtual nsresult SelectEntireDocument() = 0;
 
   /**
@@ -2043,27 +2043,29 @@ class EditorBase : public nsIEditor,
   nsresult SetTextDirectionTo(TextDirection aTextDirection);
 
  protected:  // helper classes which may be used by friends
   /**
    * Stack based helper class for calling EditorBase::EndTransactionInternal().
    */
   class MOZ_RAII AutoTransactionBatch final {
    public:
-    explicit AutoTransactionBatch(
+    MOZ_CAN_RUN_SCRIPT explicit AutoTransactionBatch(
         EditorBase& aEditorBase MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
         : mEditorBase(aEditorBase) {
       MOZ_GUARD_OBJECT_NOTIFIER_INIT;
-      mEditorBase->BeginTransactionInternal();
+      mEditorBase.BeginTransactionInternal();
     }
 
-    ~AutoTransactionBatch() { mEditorBase->EndTransactionInternal(); }
+    MOZ_CAN_RUN_SCRIPT ~AutoTransactionBatch() {
+      MOZ_KnownLive(mEditorBase).EndTransactionInternal();
+    }
 
    protected:
-    OwningNonNull<EditorBase> mEditorBase;
+    EditorBase& mEditorBase;
     MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
   };
 
   /**
    * Stack based helper class for batching a collection of transactions inside
    * a placeholder transaction.
    */
   class MOZ_RAII AutoPlaceholderBatch final {
@@ -2180,24 +2182,26 @@ class EditorBase : public nsIEditor,
     MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
   };
 
   /***************************************************************************
    * stack based helper class for batching reflow and paint requests.
    */
   class MOZ_RAII AutoUpdateViewBatch final {
    public:
-    explicit AutoUpdateViewBatch(
+    MOZ_CAN_RUN_SCRIPT explicit AutoUpdateViewBatch(
         EditorBase& aEditorBase MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
         : mEditorBase(aEditorBase) {
       MOZ_GUARD_OBJECT_NOTIFIER_INIT;
       mEditorBase.BeginUpdateViewBatch();
     }
 
-    ~AutoUpdateViewBatch() { mEditorBase.EndUpdateViewBatch(); }
+    MOZ_CAN_RUN_SCRIPT ~AutoUpdateViewBatch() {
+      MOZ_KnownLive(mEditorBase).EndUpdateViewBatch();
+    }
 
    protected:
     EditorBase& mEditorBase;
     MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
   };
 
  protected:
   enum Tristate { eTriUnset, eTriFalse, eTriTrue };
--- a/editor/libeditor/EditorUtils.h
+++ b/editor/libeditor/EditorUtils.h
@@ -401,29 +401,31 @@ class MOZ_STACK_CLASS SplitRangeOffFromN
 /***************************************************************************
  * stack based helper class for calling EditorBase::EndTransaction() after
  * EditorBase::BeginTransaction().  This shouldn't be used in editor classes
  * or helper classes while an edit action is being handled.  Use
  * AutoTransactionBatch in such cases since it uses non-virtual internal
  * methods.
  ***************************************************************************/
 class MOZ_RAII AutoTransactionBatchExternal final {
- private:
-  OwningNonNull<EditorBase> mEditorBase;
-  MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
-
  public:
-  explicit AutoTransactionBatchExternal(
+  MOZ_CAN_RUN_SCRIPT explicit AutoTransactionBatchExternal(
       EditorBase& aEditorBase MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
       : mEditorBase(aEditorBase) {
     MOZ_GUARD_OBJECT_NOTIFIER_INIT;
-    mEditorBase->BeginTransaction();
+    mEditorBase.BeginTransaction();
   }
 
-  ~AutoTransactionBatchExternal() { mEditorBase->EndTransaction(); }
+  MOZ_CAN_RUN_SCRIPT ~AutoTransactionBatchExternal() {
+    MOZ_KnownLive(mEditorBase).EndTransaction();
+  }
+
+ private:
+  EditorBase& mEditorBase;
+  MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
 };
 
 class MOZ_STACK_CLASS AutoRangeArray final {
  public:
   explicit AutoRangeArray(dom::Selection* aSelection) {
     if (!aSelection) {
       return;
     }
--- a/editor/libeditor/HTMLAbsPositionEditor.cpp
+++ b/editor/libeditor/HTMLAbsPositionEditor.cpp
@@ -272,18 +272,19 @@ nsresult HTMLEditor::RefreshGrabberInter
       *mAbsolutelyPositionedObject, mPositionedObjectX, mPositionedObjectY,
       mPositionedObjectWidth, mPositionedObjectHeight,
       mPositionedObjectBorderLeft, mPositionedObjectBorderTop,
       mPositionedObjectMarginLeft, mPositionedObjectMarginTop);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
+  RefPtr<Element> grabber = mGrabber.get();
   SetAnonymousElementPosition(mPositionedObjectX + 12, mPositionedObjectY - 14,
-                              mGrabber);
+                              grabber);
   return NS_OK;
 }
 
 void HTMLEditor::HideGrabberInternal() {
   if (NS_WARN_IF(!mAbsolutelyPositionedObject)) {
     return;
   }
 
@@ -359,28 +360,33 @@ nsresult HTMLEditor::StartMoving() {
 
   // now, let's create the resizing shadow
   mPositioningShadow =
       CreateShadow(*parentContent, *mAbsolutelyPositionedObject);
   if (NS_WARN_IF(!mPositioningShadow) ||
       NS_WARN_IF(!mAbsolutelyPositionedObject)) {
     return NS_ERROR_FAILURE;
   }
+  RefPtr<Element> positioningShadow = mPositioningShadow.get();
+  RefPtr<Element> absolutelyPositionedObject = mAbsolutelyPositionedObject;
   nsresult rv =
-      SetShadowPosition(*mPositioningShadow, *mAbsolutelyPositionedObject,
+      SetShadowPosition(*positioningShadow, *absolutelyPositionedObject,
                         mPositionedObjectX, mPositionedObjectY);
-  NS_ENSURE_SUCCESS(rv, rv);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
 
   // make the shadow appear
   mPositioningShadow->UnsetAttr(kNameSpaceID_None, nsGkAtoms::_class, true);
 
   // position it
-  mCSSEditUtils->SetCSSPropertyPixels(*mPositioningShadow, *nsGkAtoms::width,
+  positioningShadow = mPositioningShadow.get();
+  mCSSEditUtils->SetCSSPropertyPixels(*positioningShadow, *nsGkAtoms::width,
                                       mPositionedObjectWidth);
-  mCSSEditUtils->SetCSSPropertyPixels(*mPositioningShadow, *nsGkAtoms::height,
+  mCSSEditUtils->SetCSSPropertyPixels(*positioningShadow, *nsGkAtoms::height,
                                       mPositionedObjectHeight);
 
   mIsMoving = true;
   return NS_OK;  // XXX Looks like nobody refers this result
 }
 
 void HTMLEditor::SnapToGrid(int32_t& newX, int32_t& newY) {
   if (mSnapToGridEnabled && mGridSize) {
@@ -419,17 +425,17 @@ nsresult HTMLEditor::EndMoving() {
         static_cast<HTMLEditorEventListener*>(mEventListener.get())
             ->ListenToMouseMoveEventForGrabber(false);
     NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored),
                          "Failed to remove mousemove event listener");
   }
 
   mGrabberClicked = false;
   mIsMoving = false;
-  nsresult rv = RefereshEditingUI();
+  nsresult rv = RefreshEditingUI();
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
   return NS_OK;
 }
 nsresult HTMLEditor::SetFinalPosition(int32_t aX, int32_t aY) {
   nsresult rv = EndMoving();
   NS_ENSURE_SUCCESS(rv, rv);
--- a/editor/libeditor/HTMLAnonymousNodeEditor.cpp
+++ b/editor/libeditor/HTMLAnonymousNodeEditor.cpp
@@ -309,24 +309,24 @@ void HTMLEditor::HideAnonymousEditingUIs
 
 NS_IMETHODIMP
 HTMLEditor::CheckSelectionStateForAnonymousButtons() {
   AutoEditActionDataSetter editActionData(*this, EditAction::eNotEditing);
   if (NS_WARN_IF(!editActionData.CanHandle())) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
-  nsresult rv = RefereshEditingUI();
+  nsresult rv = RefreshEditingUI();
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return EditorBase::ToGenericNSResult(rv);
   }
   return NS_OK;
 }
 
-nsresult HTMLEditor::RefereshEditingUI() {
+nsresult HTMLEditor::RefreshEditingUI() {
   MOZ_ASSERT(IsEditActionDataAvailable());
 
   // First, we need to remove unnecessary editing UI now since some of them
   // may be disabled while them are visible.
   HideAnonymousEditingUIsIfUnnecessary();
 
   // early way out if all contextual UI extensions are disabled
   if (!IsObjectResizerEnabled() && !IsAbsolutePositionEditorEnabled() &&
--- a/editor/libeditor/HTMLEditRules.cpp
+++ b/editor/libeditor/HTMLEditRules.cpp
@@ -6165,18 +6165,18 @@ nsresult HTMLEditRules::AlignContentsAtS
     if (HTMLEditUtils::IsListItem(curNode) || HTMLEditUtils::IsList(curNode)) {
       AutoEditorDOMPointOffsetInvalidator lockChild(atCurNode);
       rv = RemoveAlignment(*curNode, aAlignType, true);
       if (NS_WARN_IF(NS_FAILED(rv))) {
         return rv;
       }
       if (useCSS) {
         HTMLEditorRef().mCSSEditUtils->SetCSSEquivalentToHTMLStyle(
-            curNode->AsElement(), nullptr, nsGkAtoms::align, &aAlignType,
-            false);
+            MOZ_KnownLive(curNode->AsElement()), nullptr, nsGkAtoms::align,
+            &aAlignType, false);
         if (NS_WARN_IF(!CanHandleEditAction())) {
           return NS_ERROR_EDITOR_DESTROYED;
         }
         curDiv = nullptr;
         continue;
       }
       if (HTMLEditUtils::IsList(atCurNode.GetContainer())) {
         // If we don't use CSS, add a content to list element: they have to
@@ -10461,17 +10461,18 @@ nsresult HTMLEditRules::AlignBlock(Eleme
   return NS_OK;
 }
 
 nsresult HTMLEditRules::ChangeMarginStart(Element& aElement, bool aIncrease) {
   MOZ_ASSERT(IsEditorDataAvailable());
 
   nsAtom& marginProperty = MarginPropertyAtomForIndent(aElement);
   nsAutoString value;
-  CSSEditUtils::GetSpecifiedProperty(aElement, marginProperty, value);
+  CSSEditUtils::GetSpecifiedProperty(aElement, MOZ_KnownLive(marginProperty),
+                                     value);
   if (NS_WARN_IF(!CanHandleEditAction())) {
     return NS_ERROR_EDITOR_DESTROYED;
   }
   float f;
   RefPtr<nsAtom> unit;
   CSSEditUtils::ParseLength(value, &f, getter_AddRefs(unit));
   if (!f) {
     nsAutoString defaultLengthUnit;
@@ -10498,18 +10499,18 @@ nsresult HTMLEditRules::ChangeMarginStar
   } else if (nsGkAtoms::percentage == unit) {
     f += NS_EDITOR_INDENT_INCREMENT_PERCENT * multiplier;
   }
 
   if (0 < f) {
     nsAutoString newValue;
     newValue.AppendFloat(f);
     newValue.Append(nsDependentAtomString(unit));
-    HTMLEditorRef().mCSSEditUtils->SetCSSProperty(aElement, marginProperty,
-                                                  newValue);
+    HTMLEditorRef().mCSSEditUtils->SetCSSProperty(
+        aElement, MOZ_KnownLive(marginProperty), newValue);
     if (NS_WARN_IF(!CanHandleEditAction())) {
       return NS_ERROR_EDITOR_DESTROYED;
     }
     return NS_OK;
   }
 
   HTMLEditorRef().mCSSEditUtils->RemoveCSSProperty(
       aElement, MOZ_KnownLive(marginProperty), value);
@@ -10933,18 +10934,18 @@ nsresult HTMLEditRules::WillRelativeChan
   if (NS_WARN_IF(!element)) {
     return NS_ERROR_FAILURE;
   }
 
   {
     AutoSelectionRestorer restoreSelectionLater(HTMLEditorRef());
 
     int32_t zIndex;
-    nsresult rv =
-        HTMLEditorRef().RelativeChangeElementZIndex(*element, aChange, &zIndex);
+    nsresult rv = MOZ_KnownLive(HTMLEditorRef())
+                      .RelativeChangeElementZIndex(*element, aChange, &zIndex);
     if (NS_WARN_IF(!CanHandleEditAction())) {
       return NS_ERROR_EDITOR_DESTROYED;
     }
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
   }
 
--- a/editor/libeditor/HTMLEditor.cpp
+++ b/editor/libeditor/HTMLEditor.cpp
@@ -357,30 +357,30 @@ HTMLEditor::NotifySelectionChanged(Docum
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   if (mTypeInState) {
     RefPtr<TypeInState> typeInState = mTypeInState;
     typeInState->OnSelectionChange(*aSelection);
 
     // We used a class which derived from nsISelectionListener to call
-    // HTMLEditor::RefereshEditingUI().  The lifetime of the class was
+    // HTMLEditor::RefreshEditingUI().  The lifetime of the class was
     // exactly same as mTypeInState.  So, call it only when mTypeInState
     // is not nullptr.
     if ((aReason & (nsISelectionListener::MOUSEDOWN_REASON |
                     nsISelectionListener::KEYPRESS_REASON |
                     nsISelectionListener::SELECTALL_REASON)) &&
         aSelection) {
       // the selection changed and we need to check if we have to
       // hide and/or redisplay resizing handles
       // FYI: This is an XPCOM method.  So, the caller, Selection, guarantees
       //      the lifetime of this instance.  So, don't need to grab this with
       //      local variable.
-      DebugOnly<nsresult> rv = RefereshEditingUI();
-      NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "RefereshEditingUI() failed");
+      DebugOnly<nsresult> rv = RefreshEditingUI();
+      NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "RefreshEditingUI() failed");
     }
   }
 
   if (mComposerCommandsUpdater) {
     RefPtr<ComposerCommandsUpdater> updater = mComposerCommandsUpdater;
     updater->OnSelectionChange();
   }
 
@@ -4375,19 +4375,19 @@ nsresult HTMLEditor::SetCSSBackgroundCol
         if (blockParent && cachedBlockParent != blockParent) {
           cachedBlockParent = blockParent;
           mCSSEditUtils->SetCSSEquivalentToHTMLStyle(
               blockParent, nullptr, nsGkAtoms::bgcolor, &aColor, false);
         }
       } else if (startNode == endNode &&
                  startNode->IsHTMLElement(nsGkAtoms::body) && isCollapsed) {
         // No block in the document, let's apply the background to the body
-        mCSSEditUtils->SetCSSEquivalentToHTMLStyle(startNode->AsElement(),
-                                                   nullptr, nsGkAtoms::bgcolor,
-                                                   &aColor, false);
+        mCSSEditUtils->SetCSSEquivalentToHTMLStyle(
+            MOZ_KnownLive(startNode->AsElement()), nullptr, nsGkAtoms::bgcolor,
+            &aColor, false);
       } else if (startNode == endNode && (endOffset - startOffset == 1 ||
                                           (!startOffset && !endOffset))) {
         // A unique node is selected, let's also apply the background color to
         // the containing block, possibly the node itself
         nsCOMPtr<nsIContent> selectedNode = range->GetChildAtStartOffset();
         nsCOMPtr<Element> blockParent = GetBlock(*selectedNode);
         if (blockParent && cachedBlockParent != blockParent) {
           cachedBlockParent = blockParent;
--- a/editor/libeditor/HTMLEditor.h
+++ b/editor/libeditor/HTMLEditor.h
@@ -116,17 +116,17 @@ class HTMLEditor final : public TextEdit
 
   // nsISelectionListener overrides
   NS_DECL_NSISELECTIONLISTENER
 
   HTMLEditor();
 
   nsHTMLDocument* GetHTMLDocument() const;
 
-  virtual void PreDestroy(bool aDestroyingFrames) override;
+  MOZ_CAN_RUN_SCRIPT virtual void PreDestroy(bool aDestroyingFrames) override;
 
   bool GetReturnInParagraphCreatesNewParagraph();
 
   // TextEditor overrides
   MOZ_CAN_RUN_SCRIPT
   virtual nsresult Init(Document& aDoc, Element* aRoot,
                         nsISelectionController* aSelCon, uint32_t aFlags,
                         const nsAString& aValue) override;
@@ -213,27 +213,28 @@ class HTMLEditor final : public TextEdit
 
   /**
    * event callback when a mouse button is pressed
    * @param aX      [IN] horizontal position of the pointer
    * @param aY      [IN] vertical position of the pointer
    * @param aTarget [IN] the element triggering the event
    * @param aMouseEvent [IN] the event
    */
-  nsresult OnMouseDown(int32_t aX, int32_t aY, Element* aTarget,
-                       dom::Event* aMouseEvent);
+  MOZ_CAN_RUN_SCRIPT nsresult OnMouseDown(int32_t aX, int32_t aY,
+                                          Element* aTarget,
+                                          dom::Event* aMouseEvent);
 
   /**
    * event callback when a mouse button is released
    * @param aX      [IN] horizontal position of the pointer
    * @param aY      [IN] vertical position of the pointer
    * @param aTarget [IN] the element triggering the event
    */
-  MOZ_CAN_RUN_SCRIPT
-  nsresult OnMouseUp(int32_t aX, int32_t aY, Element* aTarget);
+  MOZ_CAN_RUN_SCRIPT nsresult OnMouseUp(int32_t aX, int32_t aY,
+                                        Element* aTarget);
 
   /**
    * event callback when the mouse pointer is moved
    * @param aMouseEvent [IN] the event
    */
   MOZ_CAN_RUN_SCRIPT nsresult OnMouseMove(dom::MouseEvent* aMouseEvent);
 
   /**
@@ -246,72 +247,72 @@ class HTMLEditor final : public TextEdit
     // TODO: removal of mCSSAware and use only the presence of mCSSEditUtils
     return mCSSAware && mCSSEditUtils && mCSSEditUtils->IsCSSPrefChecked();
   }
 
   /**
    * Enable/disable object resizers for <img> elements, <table> elements,
    * absolute positioned elements (required absolute position editor enabled).
    */
-  void EnableObjectResizer(bool aEnable) {
+  MOZ_CAN_RUN_SCRIPT void EnableObjectResizer(bool aEnable) {
     if (mIsObjectResizingEnabled == aEnable) {
       return;
     }
 
     AutoEditActionDataSetter editActionData(
         *this, EditAction::eEnableOrDisableResizer);
     if (NS_WARN_IF(!editActionData.CanHandle())) {
       return;
     }
 
     mIsObjectResizingEnabled = aEnable;
-    RefereshEditingUI();
+    RefreshEditingUI();
   }
   bool IsObjectResizerEnabled() const { return mIsObjectResizingEnabled; }
 
   /**
    * Enable/disable inline table editor, e.g., adding new row or column,
    * removing existing row or column.
    */
-  void EnableInlineTableEditor(bool aEnable) {
+  MOZ_CAN_RUN_SCRIPT void EnableInlineTableEditor(bool aEnable) {
     if (mIsInlineTableEditingEnabled == aEnable) {
       return;
     }
 
     AutoEditActionDataSetter editActionData(
         *this, EditAction::eEnableOrDisableInlineTableEditingUI);
     if (NS_WARN_IF(!editActionData.CanHandle())) {
       return;
     }
 
     mIsInlineTableEditingEnabled = aEnable;
-    RefereshEditingUI();
+    RefreshEditingUI();
   }
   bool IsInlineTableEditorEnabled() const {
     return mIsInlineTableEditingEnabled;
   }
 
   /**
    * Enable/disable absolute position editor, resizing absolute positioned
    * elements (required object resizers enabled) or positioning them with
    * dragging grabber.
    */
-  void EnableAbsolutePositionEditor(bool aEnable) {
+  MOZ_CAN_RUN_SCRIPT void EnableAbsolutePositionEditor(bool aEnable) {
     if (mIsAbsolutelyPositioningEnabled == aEnable) {
       return;
     }
 
     AutoEditActionDataSetter editActionData(
         *this, EditAction::eEnableOrDisableAbsolutePositionEditor);
     if (NS_WARN_IF(!editActionData.CanHandle())) {
       return;
     }
 
     mIsAbsolutelyPositioningEnabled = aEnable;
-    RefereshEditingUI();
+    RefreshEditingUI();
   }
   bool IsAbsolutePositionEditorEnabled() const {
     return mIsAbsolutelyPositioningEnabled;
   }
 
   // non-virtual methods of interface methods
 
   /**
@@ -687,18 +688,19 @@ class HTMLEditor final : public TextEdit
 
   /**
    * adds aChange to the z-index of an arbitrary element.
    * @param aElement [IN] the element
    * @param aChange  [IN] relative change to apply to current z-index of
    *                      the element
    * @param aReturn  [OUT] the new z-index of the element
    */
-  nsresult RelativeChangeElementZIndex(Element& aElement, int32_t aChange,
-                                       int32_t* aReturn);
+  MOZ_CAN_RUN_SCRIPT nsresult RelativeChangeElementZIndex(Element& aElement,
+                                                          int32_t aChange,
+                                                          int32_t* aReturn);
 
   virtual bool IsBlockNode(nsINode* aNode) override;
   using EditorBase::IsBlockNode;
 
   /**
    * returns true if aParentTag can contain a child of type aChildTag.
    */
   virtual bool TagCanContainTag(nsAtom& aParentTag,
@@ -1540,16 +1542,17 @@ class HTMLEditor final : public TextEdit
   nsresult GetLastCellInRow(nsINode* aRowNode, nsINode** aCellNode);
 
   static nsresult GetCellFromRange(nsRange* aRange, Element** aCell);
 
   /**
    * This sets background on the appropriate container element (table, cell,)
    * or calls into nsTextEditor to set the page background.
    */
+  MOZ_CAN_RUN_SCRIPT
   nsresult SetCSSBackgroundColorWithTransaction(const nsAString& aColor);
   MOZ_CAN_RUN_SCRIPT
   nsresult SetHTMLBackgroundColorWithTransaction(const nsAString& aColor);
 
   virtual void InitializeSelectionAncestorLimit(
       nsIContent& aAncestorLimit) override;
 
   /**
@@ -2155,17 +2158,18 @@ class HTMLEditor final : public TextEdit
 
   /**
    * sets the position of an element; warning it does NOT check if the
    * element is already positioned or not and that's on purpose.
    * @param aElement [IN] the element
    * @param aX       [IN] the x position in pixels.
    * @param aY       [IN] the y position in pixels.
    */
-  void SetTopAndLeft(Element& aElement, int32_t aX, int32_t aY);
+  MOZ_CAN_RUN_SCRIPT void SetTopAndLeft(Element& aElement, int32_t aX,
+                                        int32_t aY);
 
   /**
    * Reset a selected cell or collapsed selection (the caret) after table
    * editing.
    *
    * @param aTable      A table in the document.
    * @param aRow        The row ...
    * @param aCol        ... and column defining the cell where we will try to
@@ -2188,21 +2192,21 @@ class HTMLEditor final : public TextEdit
 
   void RemoveListenerAndDeleteRef(const nsAString& aEvent,
                                   nsIDOMEventListener* aListener,
                                   bool aUseCapture, ManualNACPtr aElement,
                                   PresShell* aPresShell);
   void DeleteRefToAnonymousNode(ManualNACPtr aContent, PresShell* aPresShell);
 
   /**
-   * RefereshEditingUI() may refresh editing UIs for current Selection, focus,
+   * RefreshEditingUI() may refresh editing UIs for current Selection, focus,
    * etc.  If this shows or hides some UIs, it causes reflow.  So, this is
    * not safe method.
    */
-  nsresult RefereshEditingUI();
+  MOZ_CAN_RUN_SCRIPT nsresult RefreshEditingUI();
 
   /**
    * Returns the offset of an element's frame to its absolute containing block.
    */
   nsresult GetElementOrigin(Element& aElement, int32_t& aX, int32_t& aY);
   nsresult GetPositionAndDimensions(Element& aElement, int32_t& aX, int32_t& aY,
                                     int32_t& aW, int32_t& aH,
                                     int32_t& aBorderLeft, int32_t& aBorderTop,
@@ -2213,73 +2217,75 @@ class HTMLEditor final : public TextEdit
   void UpdateRootElement();
 
   /**
    * SetAllResizersPosition() moves all resizers to proper position.
    * If the resizers are hidden or replaced with another set of resizers
    * while this is running, this returns error.  So, callers shouldn't
    * keep handling the resizers if this returns error.
    */
-  nsresult SetAllResizersPosition();
+  MOZ_CAN_RUN_SCRIPT nsresult SetAllResizersPosition();
 
   /**
    * Shows active resizers around an element's frame
    * @param aResizedElement [IN] a DOM Element
    */
-  nsresult ShowResizersInternal(Element& aResizedElement);
+  MOZ_CAN_RUN_SCRIPT nsresult ShowResizersInternal(Element& aResizedElement);
 
   /**
    * Hide resizers if they are visible.  If this is called while there is no
    * visible resizers, this does not return error, but does nothing.
    */
   nsresult HideResizersInternal();
 
   /**
    * RefreshResizersInternal() moves resizers to proper position.  This does
    * nothing if there is no resizing target.
    */
-  nsresult RefreshResizersInternal();
+  MOZ_CAN_RUN_SCRIPT nsresult RefreshResizersInternal();
 
   ManualNACPtr CreateResizer(int16_t aLocation, nsIContent& aParentContent);
-  void SetAnonymousElementPosition(int32_t aX, int32_t aY, Element* aResizer);
+  MOZ_CAN_RUN_SCRIPT void SetAnonymousElementPosition(int32_t aX, int32_t aY,
+                                                      Element* aResizer);
 
   ManualNACPtr CreateShadow(nsIContent& aParentContent,
                             Element& aOriginalObject);
 
   /**
    * SetShadowPosition() moves the shadow element to proper position.
    *
    * @param aShadowElement      Must be mResizingShadow or mPositioningShadow.
    * @param aElement            The element which has the shadow.
    * @param aElementX           Left of aElement.
    * @param aElementY           Top of aElement.
    */
-  nsresult SetShadowPosition(Element& aShadowElement, Element& aElement,
-                             int32_t aElementLeft, int32_t aElementTop);
+  MOZ_CAN_RUN_SCRIPT nsresult SetShadowPosition(Element& aShadowElement,
+                                                Element& aElement,
+                                                int32_t aElementLeft,
+                                                int32_t aElementTop);
 
   ManualNACPtr CreateResizingInfo(nsIContent& aParentContent);
-  nsresult SetResizingInfoPosition(int32_t aX, int32_t aY, int32_t aW,
-                                   int32_t aH);
+  MOZ_CAN_RUN_SCRIPT nsresult SetResizingInfoPosition(int32_t aX, int32_t aY,
+                                                      int32_t aW, int32_t aH);
 
   enum class ResizeAt {
     eX,
     eY,
     eWidth,
     eHeight,
   };
   int32_t GetNewResizingIncrement(int32_t aX, int32_t aY, ResizeAt aResizeAt);
 
-  nsresult StartResizing(Element* aHandle);
+  MOZ_CAN_RUN_SCRIPT nsresult StartResizing(Element* aHandle);
   int32_t GetNewResizingX(int32_t aX, int32_t aY);
   int32_t GetNewResizingY(int32_t aX, int32_t aY);
   int32_t GetNewResizingWidth(int32_t aX, int32_t aY);
   int32_t GetNewResizingHeight(int32_t aX, int32_t aY);
   void HideShadowAndInfo();
-  MOZ_CAN_RUN_SCRIPT
-  void SetFinalSize(int32_t aX, int32_t aY);
+  MOZ_CAN_RUN_SCRIPT void SetFinalSize(int32_t aX, int32_t aY);
   void SetResizeIncrements(int32_t aX, int32_t aY, int32_t aW, int32_t aH,
                            bool aPreserveRatio);
 
   /**
    * HideAnonymousEditingUIs() forcibly hides all editing UIs (resizers,
    * inline-table-editing UI, absolute positioning UI).
    */
   void HideAnonymousEditingUIs();
@@ -2290,91 +2296,93 @@ class HTMLEditor final : public TextEdit
    */
   void HideAnonymousEditingUIsIfUnnecessary();
 
   /**
    * sets the z-index of an element.
    * @param aElement [IN] the element
    * @param aZorder  [IN] the z-index
    */
-  void SetZIndex(Element& aElement, int32_t aZorder);
+  MOZ_CAN_RUN_SCRIPT void SetZIndex(Element& aElement, int32_t aZorder);
 
   /**
    * shows a grabber attached to an arbitrary element. The grabber is an image
    * positioned on the left hand side of the top border of the element. Draggin
    * and dropping it allows to change the element's absolute position in the
    * document. See chrome://editor/content/images/grabber.gif
    * @param aElement [IN] the element
    */
-  nsresult ShowGrabberInternal(Element& aElement);
+  MOZ_CAN_RUN_SCRIPT nsresult ShowGrabberInternal(Element& aElement);
 
   /**
    * Setting grabber to proper position for current mAbsolutelyPositionedObject.
    * For example, while an element has grabber, the element may be resized
    * or repositioned by script or something.  Then, you need to reset grabber
    * position with this.
    */
-  nsresult RefreshGrabberInternal();
+  MOZ_CAN_RUN_SCRIPT nsresult RefreshGrabberInternal();
 
   /**
    * hide the grabber if it shown.
    */
   void HideGrabberInternal();
 
   /**
    * CreateGrabberInternal() creates a grabber for moving aParentContent.
    * This sets mGrabber to the new grabber.  If this returns true, it's
    * always non-nullptr.  Otherwise, i.e., the grabber is hidden during
    * creation, this returns false.
    */
   bool CreateGrabberInternal(nsIContent& aParentContent);
 
-  nsresult StartMoving();
-  nsresult SetFinalPosition(int32_t aX, int32_t aY);
+  MOZ_CAN_RUN_SCRIPT nsresult StartMoving();
+  MOZ_CAN_RUN_SCRIPT nsresult SetFinalPosition(int32_t aX, int32_t aY);
   void AddPositioningOffset(int32_t& aX, int32_t& aY);
   void SnapToGrid(int32_t& newX, int32_t& newY);
   nsresult GrabberClicked();
-  nsresult EndMoving();
+  MOZ_CAN_RUN_SCRIPT nsresult EndMoving();
   nsresult GetTemporaryStyleForFocusedPositionedElement(Element& aElement,
                                                         nsAString& aReturn);
 
   /**
    * Shows inline table editing UI around a <table> element which contains
    * aCellElement.  This returns error if creating UI is hidden during this,
    * or detects another set of UI during this.  In such case, callers
    * shouldn't keep handling anything for the UI.
    *
    * @param aCellElement    Must be an <td> or <th> element.
    */
-  nsresult ShowInlineTableEditingUIInternal(Element& aCellElement);
+  MOZ_CAN_RUN_SCRIPT nsresult
+  ShowInlineTableEditingUIInternal(Element& aCellElement);
 
   /**
    * Hide all inline table editing UI.
    */
   void HideInlineTableEditingUIInternal();
 
   /**
    * RefreshInlineTableEditingUIInternal() moves inline table editing UI to
    * proper position.  This returns error if the UI is hidden or replaced
    * during moving.
    */
-  nsresult RefreshInlineTableEditingUIInternal();
+  MOZ_CAN_RUN_SCRIPT nsresult RefreshInlineTableEditingUIInternal();
 
   /**
    * IsEmptyTextNode() returns true if aNode is a text node and does not have
    * any visible characters.
    */
   bool IsEmptyTextNode(nsINode& aNode);
 
-  bool IsSimpleModifiableNode(nsIContent* aContent, nsAtom* aProperty,
-                              nsAtom* aAttribute, const nsAString* aValue);
-  MOZ_CAN_RUN_SCRIPT
-  nsresult SetInlinePropertyOnNodeImpl(nsIContent& aNode, nsAtom& aProperty,
-                                       nsAtom* aAttribute,
-                                       const nsAString& aValue);
+  MOZ_CAN_RUN_SCRIPT bool IsSimpleModifiableNode(nsIContent* aContent,
+                                                 nsAtom* aProperty,
+                                                 nsAtom* aAttribute,
+                                                 const nsAString* aValue);
+  MOZ_CAN_RUN_SCRIPT nsresult
+  SetInlinePropertyOnNodeImpl(nsIContent& aNode, nsAtom& aProperty,
+                              nsAtom* aAttribute, const nsAString& aValue);
   typedef enum { eInserted, eAppended } InsertedOrAppended;
   void DoContentInserted(nsIContent* aChild, InsertedOrAppended);
 
   /**
    * Returns an anonymous Element of type aTag,
    * child of aParentContent. If aIsCreatedHidden is true, the class
    * "hidden" is added to the created element. If aAnonClass is not
    * the empty string, it becomes the value of the attribute "_moz_anonclass"
--- a/editor/libeditor/HTMLEditorDocumentCommands.cpp
+++ b/editor/libeditor/HTMLEditorDocumentCommands.cpp
@@ -169,43 +169,43 @@ nsresult SetDocumentStateCommand::DoComm
       if (NS_WARN_IF(!htmlEditor)) {
         return NS_ERROR_INVALID_ARG;
       }
       ErrorResult error;
       bool enabled = aParams->GetBool(STATE_ATTRIBUTE, error);
       if (NS_WARN_IF(error.Failed())) {
         return error.StealNSResult();
       }
-      htmlEditor->EnableObjectResizer(enabled);
+      MOZ_KnownLive(htmlEditor)->EnableObjectResizer(enabled);
       return NS_OK;
     }
     case Command::ToggleInlineTableEditor: {
       HTMLEditor* htmlEditor = aTextEditor.AsHTMLEditor();
       if (NS_WARN_IF(!htmlEditor)) {
         return NS_ERROR_INVALID_ARG;
       }
       ErrorResult error;
       bool enabled = aParams->GetBool(STATE_ATTRIBUTE, error);
       if (NS_WARN_IF(error.Failed())) {
         return error.StealNSResult();
       }
-      htmlEditor->EnableInlineTableEditor(enabled);
+      MOZ_KnownLive(htmlEditor)->EnableInlineTableEditor(enabled);
       return NS_OK;
     }
     case Command::ToggleAbsolutePositionEditor: {
       HTMLEditor* htmlEditor = aTextEditor.AsHTMLEditor();
       if (NS_WARN_IF(!htmlEditor)) {
         return NS_ERROR_INVALID_ARG;
       }
       ErrorResult error;
       bool enabled = aParams->GetBool(STATE_ATTRIBUTE, error);
       if (NS_WARN_IF(error.Failed())) {
         return error.StealNSResult();
       }
-      htmlEditor->EnableAbsolutePositionEditor(enabled);
+      MOZ_KnownLive(htmlEditor)->EnableAbsolutePositionEditor(enabled);
       return NS_OK;
     }
     default:
       return NS_ERROR_NOT_IMPLEMENTED;
   }
 }
 
 nsresult SetDocumentStateCommand::GetCommandStateParams(
--- a/editor/libeditor/HTMLEditorObjectResizer.cpp
+++ b/editor/libeditor/HTMLEditorObjectResizer.cpp
@@ -142,48 +142,55 @@ nsresult HTMLEditor::SetAllResizersPosit
   // While moving each resizer, mutation event listener may hide the resizers.
   // And in worst case, new resizers may be recreated.  So, we need to store
   // all resizers here, and then, if we detect a resizer is removed or replaced,
   // we should do nothing anymore.
   // FYI: Note that only checking if mTopLeftHandle is replaced is enough.
   //      We're may be in hot path if user resizes an element a lot.  So,
   //      we should just add-ref mTopLeftHandle.
   RefPtr<Element> topLeftHandle = mTopLeftHandle.get();
-  SetAnonymousElementPosition(x - rw, y - rh, mTopLeftHandle);
+  SetAnonymousElementPosition(x - rw, y - rh, topLeftHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
-  SetAnonymousElementPosition(x + w / 2 - rw, y - rh, mTopHandle);
+  RefPtr<Element> topHandle = mTopHandle.get();
+  SetAnonymousElementPosition(x + w / 2 - rw, y - rh, topHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
-  SetAnonymousElementPosition(x + w - rw - 1, y - rh, mTopRightHandle);
+  RefPtr<Element> topRightHandle = mTopRightHandle.get();
+  SetAnonymousElementPosition(x + w - rw - 1, y - rh, topRightHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
 
-  SetAnonymousElementPosition(x - rw, y + h / 2 - rh, mLeftHandle);
+  RefPtr<Element> leftHandle = mLeftHandle.get();
+  SetAnonymousElementPosition(x - rw, y + h / 2 - rh, leftHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
-  SetAnonymousElementPosition(x + w - rw - 1, y + h / 2 - rh, mRightHandle);
+  RefPtr<Element> rightHandle = mRightHandle.get();
+  SetAnonymousElementPosition(x + w - rw - 1, y + h / 2 - rh, rightHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
 
-  SetAnonymousElementPosition(x - rw, y + h - rh - 1, mBottomLeftHandle);
+  RefPtr<Element> bottomLeftHandle = mBottomLeftHandle.get();
+  SetAnonymousElementPosition(x - rw, y + h - rh - 1, bottomLeftHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
-  SetAnonymousElementPosition(x + w / 2 - rw, y + h - rh - 1, mBottomHandle);
+  RefPtr<Element> bottomHandle = mBottomHandle.get();
+  SetAnonymousElementPosition(x + w / 2 - rw, y + h - rh - 1, bottomHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
+  RefPtr<Element> bottomRightHandle = mBottomRightHandle.get();
   SetAnonymousElementPosition(x + w - rw - 1, y + h - rh - 1,
-                              mBottomRightHandle);
+                              bottomRightHandle);
   if (NS_WARN_IF(topLeftHandle != mTopLeftHandle)) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
@@ -219,17 +226,19 @@ nsresult HTMLEditor::RefreshResizersInte
   rv = SetAllResizersPosition();
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
   MOZ_ASSERT(
       mResizingShadow,
       "SetAllResizersPosition() should return error if resizers are hidden");
-  rv = SetShadowPosition(*mResizingShadow, *mResizedObject, mResizedObjectX,
+  RefPtr<Element> resizingShadow = mResizingShadow.get();
+  RefPtr<Element> resizedObject = mResizedObject;
+  rv = SetShadowPosition(*resizingShadow, *resizedObject, mResizedObjectX,
                          mResizedObjectY);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
   return NS_OK;
 }
 
 nsresult HTMLEditor::ShowResizersInternal(Element& aResizedElement) {
@@ -374,17 +383,18 @@ nsresult HTMLEditor::ShowResizersInterna
     }
     if (NS_WARN_IF(mResizingShadow) ||
         NS_WARN_IF(mResizedObject != &aResizedElement)) {
       return NS_ERROR_FAILURE;
     }
     mResizingShadow = std::move(newShadow);
 
     // and set its position
-    rv = SetShadowPosition(*mResizingShadow, aResizedElement, mResizedObjectX,
+    RefPtr<Element> resizingShadow = mResizingShadow.get();
+    rv = SetShadowPosition(*resizingShadow, aResizedElement, mResizedObjectX,
                            mResizedObjectY);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       if (NS_WARN_IF(mBottomRightHandle.get() != createdBottomRightNalde)) {
         return NS_ERROR_FAILURE;
       }
       break;
     }
 
@@ -582,19 +592,20 @@ nsresult HTMLEditor::StartResizing(Eleme
   } else if (locationStr.Equals(kBottomRight)) {
     SetResizeIncrements(0, 0, 1, 1, preserveRatio);
   }
 
   // make the shadow appear
   mResizingShadow->UnsetAttr(kNameSpaceID_None, nsGkAtoms::_class, true);
 
   // position it
-  mCSSEditUtils->SetCSSPropertyPixels(*mResizingShadow, *nsGkAtoms::width,
+  RefPtr<Element> resizingShadow = mResizingShadow.get();
+  mCSSEditUtils->SetCSSPropertyPixels(*resizingShadow, *nsGkAtoms::width,
                                       mResizedObjectWidth);
-  mCSSEditUtils->SetCSSPropertyPixels(*mResizingShadow, *nsGkAtoms::height,
+  mCSSEditUtils->SetCSSPropertyPixels(*resizingShadow, *nsGkAtoms::height,
                                       mResizedObjectHeight);
 
   // add a mouse move listener to the editor
   if (NS_WARN_IF(!mEventListener)) {
     return NS_ERROR_NOT_INITIALIZED;
   }
   nsresult rv = static_cast<HTMLEditorEventListener*>(mEventListener.get())
                     ->ListenToMouseMoveEventForResizers(true);
@@ -720,19 +731,20 @@ nsresult HTMLEditor::SetResizingInfoPosi
   } else {
     // should only occur when mActivatedHandle is one of the 3 bottom-side
     // handles, but this is a reasonable default if it isn't any of them (?)
     infoYPosition = aY + aH;
   }
 
   // Offset info box by 20 so it's not directly under the mouse cursor.
   const int mouseCursorOffset = 20;
-  mCSSEditUtils->SetCSSPropertyPixels(*mResizingInfo, *nsGkAtoms::left,
+  RefPtr<Element> resizingInfo = mResizingInfo.get();
+  mCSSEditUtils->SetCSSPropertyPixels(*resizingInfo, *nsGkAtoms::left,
                                       infoXPosition + mouseCursorOffset);
-  mCSSEditUtils->SetCSSPropertyPixels(*mResizingInfo, *nsGkAtoms::top,
+  mCSSEditUtils->SetCSSPropertyPixels(*resizingInfo, *nsGkAtoms::top,
                                       infoYPosition + mouseCursorOffset);
 
   nsCOMPtr<nsIContent> textInfo = mResizingInfo->GetFirstChild();
   ErrorResult erv;
   if (textInfo) {
     mResizingInfo->RemoveChild(*textInfo, erv);
     NS_ENSURE_TRUE(!erv.Failed(), erv.StealNSResult());
     textInfo = nullptr;
@@ -882,23 +894,23 @@ nsresult HTMLEditor::OnMouseMove(MouseEv
     int32_t clientX = aMouseEvent->ClientX();
     int32_t clientY = aMouseEvent->ClientY();
 
     int32_t newX = GetNewResizingX(clientX, clientY);
     int32_t newY = GetNewResizingY(clientX, clientY);
     int32_t newWidth = GetNewResizingWidth(clientX, clientY);
     int32_t newHeight = GetNewResizingHeight(clientX, clientY);
 
-    mCSSEditUtils->SetCSSPropertyPixels(*mResizingShadow, *nsGkAtoms::left,
+    RefPtr<Element> resizingShadow = mResizingShadow.get();
+    mCSSEditUtils->SetCSSPropertyPixels(*resizingShadow, *nsGkAtoms::left,
                                         newX);
-    mCSSEditUtils->SetCSSPropertyPixels(*mResizingShadow, *nsGkAtoms::top,
-                                        newY);
-    mCSSEditUtils->SetCSSPropertyPixels(*mResizingShadow, *nsGkAtoms::width,
+    mCSSEditUtils->SetCSSPropertyPixels(*resizingShadow, *nsGkAtoms::top, newY);
+    mCSSEditUtils->SetCSSPropertyPixels(*resizingShadow, *nsGkAtoms::width,
                                         newWidth);
-    mCSSEditUtils->SetCSSPropertyPixels(*mResizingShadow, *nsGkAtoms::height,
+    mCSSEditUtils->SetCSSPropertyPixels(*resizingShadow, *nsGkAtoms::height,
                                         newHeight);
 
     return SetResizingInfoPosition(newX, newY, newWidth, newHeight);
   }
 
   AutoEditActionDataSetter editActionData(*this, EditAction::eMoveElement);
   if (NS_WARN_IF(!editActionData.CanHandle())) {
     return NS_ERROR_NOT_INITIALIZED;
@@ -923,19 +935,20 @@ nsresult HTMLEditor::OnMouseMove(MouseEv
     int32_t clientX = aMouseEvent->ClientX();
     int32_t clientY = aMouseEvent->ClientY();
 
     int32_t newX = mPositionedObjectX + clientX - mOriginalX;
     int32_t newY = mPositionedObjectY + clientY - mOriginalY;
 
     SnapToGrid(newX, newY);
 
-    mCSSEditUtils->SetCSSPropertyPixels(*mPositioningShadow, *nsGkAtoms::left,
+    RefPtr<Element> positioningShadow = mPositioningShadow.get();
+    mCSSEditUtils->SetCSSPropertyPixels(*positioningShadow, *nsGkAtoms::left,
                                         newX);
-    mCSSEditUtils->SetCSSPropertyPixels(*mPositioningShadow, *nsGkAtoms::top,
+    mCSSEditUtils->SetCSSPropertyPixels(*positioningShadow, *nsGkAtoms::top,
                                         newY);
   }
   return NS_OK;
 }
 
 void HTMLEditor::SetFinalSize(int32_t aX, int32_t aY) {
   if (!mResizedObject) {
     // paranoia
@@ -987,21 +1000,21 @@ void HTMLEditor::SetFinalSize(int32_t aX
     }
 
     if (setHeight &&
         resizedObject->HasAttr(kNameSpaceID_None, nsGkAtoms::height)) {
       RemoveAttributeWithTransaction(*resizedObject, *nsGkAtoms::height);
     }
 
     if (setWidth) {
-      mCSSEditUtils->SetCSSPropertyPixels(*mResizedObject, *nsGkAtoms::width,
+      mCSSEditUtils->SetCSSPropertyPixels(*resizedObject, *nsGkAtoms::width,
                                           width);
     }
     if (setHeight) {
-      mCSSEditUtils->SetCSSPropertyPixels(*mResizedObject, *nsGkAtoms::height,
+      mCSSEditUtils->SetCSSPropertyPixels(*resizedObject, *nsGkAtoms::height,
                                           height);
     }
   } else {
     // we use HTML size and remove all equivalent CSS properties
 
     // we set the CSS width and height to remove it later,
     // triggering an immediate reflow; otherwise, we have problems
     // with asynchronous reflow
--- a/editor/nsIDocumentStateListener.idl
+++ b/editor/nsIDocumentStateListener.idl
@@ -3,14 +3,15 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
 [scriptable, uuid(050cdc00-3b8e-11d3-9ce4-a458f454fcbc)]
 interface nsIDocumentStateListener : nsISupports
 {
-
-	void        NotifyDocumentCreated();
-	void        NotifyDocumentWillBeDestroyed();
-	void        NotifyDocumentStateChanged(in boolean nowDirty);
-
+  [can_run_script]
+  void NotifyDocumentCreated();
+  [can_run_script]
+  void NotifyDocumentWillBeDestroyed();
+  [can_run_script]
+  void NotifyDocumentStateChanged(in boolean nowDirty);
 };
--- a/editor/nsIEditor.idl
+++ b/editor/nsIEditor.idl
@@ -116,44 +116,47 @@ interface nsIEditor  : nsISupports
 
   /** Sets the current 'Save' document character set */
   [can_run_script]  // setter only
   attribute ACString documentCharacterSet;
 
   /** to be used ONLY when we need to override the doc's modification
     * state (such as when it's saved).
     */
+  [can_run_script]
   void resetModificationCount();
 
   /** Gets the modification count of the document we are editing.
     * @return the modification count of the document being edited.
     *         Zero means unchanged.
     */
   long getModificationCount();
 
   /** called each time we modify the document.
     * Increments the modification count of the document.
     * @param  aModCount  the number of modifications by which
     *                    to increase or decrease the count
     */
+  [can_run_script]
   void incrementModificationCount(in long aModCount);
 
   /* ------------ Transaction methods -------------- */
 
   /** transactionManager Get the transaction manager the editor is using.
     */
   readonly attribute nsITransactionManager transactionManager;
 
   /** doTransaction() fires a transaction.
     * It is provided here so clients can create their own transactions.
     * If a transaction manager is present, it is used.
     * Otherwise, the transaction is just executed directly.
     *
     * @param aTxn the transaction to execute
     */
+  [can_run_script]
   void doTransaction(in nsITransaction txn);
 
 
   /** turn the undo system on or off
     * @param aEnable  if PR_TRUE, the undo system is turned on if available
     *                 if PR_FALSE the undo system is turned off if it
     *                 was previously on
     * @return         if aEnable is PR_TRUE, returns NS_OK if
@@ -215,16 +218,17 @@ interface nsIEditor  : nsISupports
   void beginTransaction();
 
   /** endTransaction is a signal to the editor that the caller is
     * finished updating the content model.<br>
     * beginUpdate must be called before endTransaction is called.<br>
     * Calls to beginTransaction can be nested, as long as endTransaction
     * is called once per beginTransaction.
     */
+  [can_run_script]
   void endTransaction();
 
   /**
    * While setting the flag with this method to false, CreateElementTransaction,
    * DeleteRangeTransaction, DeleteTextTransaction, InsertNodeTransaction,
    * InsertTextTransaction and SplitNodeTransaction won't change Selection
    * after modifying the DOM tree.
    * Note that calling this with false does not guarantee that Selection won't
--- a/editor/nsIHTMLAbsPosEditor.idl
+++ b/editor/nsIHTMLAbsPosEditor.idl
@@ -7,16 +7,17 @@
 #include "domstubs.idl"
 
 [scriptable, builtinclass, uuid(91375f52-20e6-4757-9835-eb04fabe5498)]
 interface nsIHTMLAbsPosEditor : nsISupports
 {
   /**
    * true if Absolute Positioning handling is enabled in the editor
    */
+  [can_run_script]  // Setter only.
   attribute boolean absolutePositioningEnabled;
 
 
   /* Utility methods */
 
   /**
    * true if Snap To Grid is enabled in the editor.
    */
@@ -30,10 +31,11 @@ interface nsIHTMLAbsPosEditor : nsISuppo
 
   /* Other */
 
   /**
    * refreshes the grabber if it shown, possibly updating its position or
    * even hiding it.
    * FYI: Current user in script is only BlueGriffon.
    */
+  [can_run_script]
   void refreshGrabber();
 };
--- a/editor/nsIHTMLEditor.idl
+++ b/editor/nsIHTMLEditor.idl
@@ -408,16 +408,17 @@ interface nsIHTMLEditor : nsISupports
 
   /**
    * checkSelectionStateForAnonymousButtons() may refresh editing UI such as
    * resizers, inline-table-editing UI, absolute positioning UI for current
    * Selection and focus state.  When this method shows or hides UI, the
    * editor (and/or its document/window) could be broken by mutation observers.
    * FYI: Current user in script is only BlueGriffon.
    */
+  [can_run_script]
   void checkSelectionStateForAnonymousButtons();
 
   boolean isAnonymousElement(in Element aElement);
 
   /**
    * A boolean indicating if a return key pressed in a paragraph creates
    * another paragraph or just inserts a <br> at the caret
    *
--- a/editor/nsIHTMLInlineTableEditor.idl
+++ b/editor/nsIHTMLInlineTableEditor.idl
@@ -10,20 +10,22 @@
 interface nsIHTMLInlineTableEditor : nsISupports
 {
   /**
    * boolean indicating if inline table editing is enabled in the editor.
    * When inline table editing is enabled, and when the selection is
    * contained in a table cell, special buttons allowing to add/remove
    * a line/column are available on the cell's border.
    */
+  [can_run_script]  // Setter only.
   attribute boolean inlineTableEditingEnabled;
 
   /**
    * Refresh already visible inline table editing UI.
    * If inline table editing UI is not visible, this does nothing.
    * If the set of inline table editing UI is hidden or replaced with new
    * one while this is called, this throws an exception.
    * FYI: Current user in script is only BlueGriffon.
    */
+  [can_run_script]
   void refreshInlineTableEditingUI();
 };
 
--- a/editor/nsIHTMLObjectResizer.idl
+++ b/editor/nsIHTMLObjectResizer.idl
@@ -21,24 +21,26 @@ interface nsIHTMLObjectResizer : nsISupp
   const short eRight = 4;
   const short eBottomLeft = 5;
   const short eBottom = 6;
   const short eBottomRight = 7;
 
   /**
    * a boolean indicating if object resizing is enabled in the editor
    */
+  [can_run_script]  // Setter only.
   attribute boolean objectResizingEnabled;
 
   /**
    * Hide resizers if they are visible.  If this is called while there is no
    * visible resizers, this does not throw exception, just does nothing.
    */
   void hideResizers();
 
   /**
    * Refresh positions of resizers.  If you change size of target of resizers,
    * you need to refresh position of resizers with calling this.
    * FYI: Current user in script is only BlueGriffon.
    */
+  [can_run_script]
   void refreshResizers();
 };
 
--- a/editor/spellchecker/TextServicesDocument.cpp
+++ b/editor/spellchecker/TextServicesDocument.cpp
@@ -1084,19 +1084,20 @@ nsresult TextServicesDocument::InsertTex
 
     nsresult rv = SetSelection(mSelStartOffset, 0);
 
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
   // AutoTransactionBatchExternal grabs mTextEditor, so, we don't need to grab
   // the instance with local variable here.
-  AutoTransactionBatchExternal treatAsOneTransaction(*mTextEditor);
-
-  nsresult rv = mTextEditor->InsertTextAsAction(aText);
+  RefPtr<TextEditor> textEditor = mTextEditor;
+  AutoTransactionBatchExternal treatAsOneTransaction(*textEditor);
+
+  nsresult rv = textEditor->InsertTextAsAction(aText);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   int32_t strLength = aText.Length();
 
   OffsetEntry* itEntry;
   OffsetEntry* entry = mOffsetTable[mSelStartIndex];