From c3b5ddfbc1c6639a7b507ca642feb09af91eba1d Mon Sep 17 00:00:00 2001
From: Thomas Barber <thomas.barber@sap.com>
Date: Sat, 24 Feb 2024 09:28:49 +0000
Subject: [PATCH] Foxhound: create atoms if StringBuilder is untainted

---
 js/src/util/StringBuffer.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/js/src/util/StringBuffer.cpp b/js/src/util/StringBuffer.cpp
index 8209e467b8db6..d9425600c70f2 100644
--- a/js/src/util/StringBuffer.cpp
+++ b/js/src/util/StringBuffer.cpp
@@ -97,14 +97,16 @@ JSLinearString* StringBuffer::finishStringInternal(JSContext* cx,
                                                    gc::Heap heap) {
   size_t len = length();
 
+  // Taintfox: Disable static string return
+  if (!this->taint()) {
+    if (JSAtom* staticStr = cx->staticStrings().lookup(begin<CharT>(), len)) {
+      return staticStr;
+    }
+  }
+
   // Taintfox: propagate taint
   SafeStringTaint taint = this->taint().safeCopy();
 
-  // Taintfox: Disable static string return
-  // if (JSAtom* staticStr = cx->staticStrings().lookup(begin<CharT>(), len)) {
-  //   return staticStr;
-  // }
-
   if (JSInlineString::lengthFits<CharT>(len)) {
     mozilla::Range<const CharT> range(begin<CharT>(), len);
     JSLinearString* str = NewInlineString<CanGC>(cx, range);