diff --git a/content/html/document/src/nsHTMLDocument.cpp b/content/html/document/src/nsHTMLDocument.cpp
index c22c99c2527..152307a0ce2 100644
--- a/content/html/document/src/nsHTMLDocument.cpp
+++ b/content/html/document/src/nsHTMLDocument.cpp
@@ -134,6 +134,8 @@
 #include "nsIEditor.h"
 #include "nsNodeInfoManager.h"
 
+#define NS_MAX_DOCUMENT_WRITE_DEPTH 20
+
 #define DETECTOR_CONTRACTID_MAX 127
 static char g_detector_contractid[DETECTOR_CONTRACTID_MAX + 1];
 static PRBool gInitDetector = PR_FALSE;
@@ -2275,6 +2277,10 @@ nsresult
 nsHTMLDocument::WriteCommon(const nsAString& aText,
                             PRBool aNewlineTerminate)
 {
+  mTooDeepWriteRecursion =
+    (mWriteLevel > NS_MAX_DOCUMENT_WRITE_DEPTH || mTooDeepWriteRecursion);
+  NS_ENSURE_STATE(!mTooDeepWriteRecursion);
+
   if (IsXHTML()) {
     // No calling document.write*() on XHTML!
 
@@ -2334,6 +2340,8 @@ nsHTMLDocument::WriteCommon(const nsAString& aText,
 
   --mWriteLevel;
 
+  mTooDeepWriteRecursion = (mWriteLevel != 0 && mTooDeepWriteRecursion);
+
   return rv;
 }
 
diff --git a/content/html/document/src/nsHTMLDocument.h b/content/html/document/src/nsHTMLDocument.h
index f1c01f3ba48..80493f82f2e 100644
--- a/content/html/document/src/nsHTMLDocument.h
+++ b/content/html/document/src/nsHTMLDocument.h
@@ -325,6 +325,8 @@ protected:
 
   PRPackedBool mIsFrameset;
 
+  PRPackedBool mTooDeepWriteRecursion;
+
   PRBool IdTableIsLive() const {
     // live if we've had over 63 misses
     return (mIdMissCount & 0x40) != 0;