Bug 456271, r+sr=bz

content/base/src/nsNodeUtils.cpp

@@ -516,6 +516,20 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
   nsINodeInfo *nodeInfo = aNode->mNodeInfo;
   nsCOMPtr<nsINodeInfo> newNodeInfo;
   if (nodeInfoManager) {
+
+    // Don't allow importing/adopting nodes from non-privileged "scriptable"
+    // documents to "non-scriptable" documents.
+    nsIDocument* newDoc = nodeInfoManager->GetDocument();
+    nsIDocument* currentDoc = aNode->GetOwnerDoc();
+    NS_ENSURE_STATE(newDoc && currentDoc);
+    PRBool hasHadScriptHandlingObject = PR_FALSE;
+    if (!newDoc->GetScriptHandlingObject(hasHadScriptHandlingObject) &&
+        !hasHadScriptHandlingObject) {
+      NS_ENSURE_STATE(nsContentUtils::IsChromeDoc(currentDoc) ||
+                      (!currentDoc->GetScriptHandlingObject(hasHadScriptHandlingObject) &&
+                       !hasHadScriptHandlingObject));
+    }
+
     newNodeInfo = nodeInfoManager->GetNodeInfo(nodeInfo->NameAtom(),
                                                nodeInfo->GetPrefixAtom(),
                                                nodeInfo->NamespaceID());

dom/src/base/nsDOMClassInfo.cpp

@@ -6829,6 +6829,18 @@ nsNodeSH::PreCreate(nsISupports *nativeObj, JSContext *cx, JSObject *globalObj,
     return NS_OK;
   }
 
+  // If we have a document, make sure one of these is true
+  // (1) it has a script handling object,
+  // (2) has had one, or has been marked to have had one,
+  // (3) we are running a privileged script.
+  // Event handling is possible only if (1). If (2) event handling is prevented.
+  // If document has never had a script handling object,
+  // untrusted scripts (3) shouldn't touch it!
+  PRBool hasHadScriptHandlingObject = PR_FALSE;
+  NS_ENSURE_STATE(doc->GetScriptHandlingObject(hasHadScriptHandlingObject) ||
+                  hasHadScriptHandlingObject ||
+                  IsPrivilegedScript());
+
   nsISupports *native_parent;
 
   if (node->IsNodeOfType(nsINode::eELEMENT | nsINode::eXUL)) {