From a7b8ec708c2566cc6e69c0b464e416c018227b02 Mon Sep 17 00:00:00 2001
From: Ben Murdoch <benm@google.com>
Date: Thu, 21 Oct 2010 16:17:55 +0100
Subject: [PATCH] Cherry-pick WebKit security fix (webkit.org r68860) Do not
 merge

See http://trac.webkit.org/changeset/68860

Change-Id: I7860374528be836e1f4ea7c6faa48966fd3ed23c
---
 WebCore/rendering/RenderObjectChildList.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/WebCore/rendering/RenderObjectChildList.cpp b/WebCore/rendering/RenderObjectChildList.cpp
index 24e864588..65c35f0eb 100644
--- a/WebCore/rendering/RenderObjectChildList.cpp
+++ b/WebCore/rendering/RenderObjectChildList.cpp
@@ -429,7 +429,10 @@ void RenderObjectChildList::updateBeforeAfterContent(RenderObject* owner, Pseudo
                 generatedContentContainer->setStyle(pseudoElementStyle);
                 owner->addChild(generatedContentContainer, insertBefore);
             }
-            generatedContentContainer->addChild(renderer);
+            if (generatedContentContainer->isChildAllowed(renderer, pseudoElementStyle))
+                generatedContentContainer->addChild(renderer);
+            else
+                renderer->destroy();
         }
     }
 }