diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp
index 166323fa370f..81803854957b 100644
--- a/js/src/builtin/String.cpp
+++ b/js/src/builtin/String.cpp
@@ -155,13 +155,11 @@ js::str_tainted(JSContext* cx, unsigned argc, Value* vp)
   // the original value of a manually tainted string was for debugging/testing.
   TaintOperation op = TaintOperation(source.c_str(), true, TaintLocationFromContext(cx), { taintarg(cx, str) });
   op.setSource();
-  SafeStringTaint taint(0, str->length(), op);
 
   JSString* tainted_str = NewDependentString(cx, str, 0, str->length());
   if (!tainted_str)
     return false;
-  tainted_str->setTaint(cx, taint);
-
+  JS_MarkTaintSource(cx, tainted_str, op);
   MOZ_ASSERT(tainted_str->isTainted());
 
   args.rval().setString(tainted_str);
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
index 338dc0b8776b..ce9f0d0476bb 100644
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -4911,8 +4911,8 @@ JS_SetStringTaint(JSContext* cx, JSString* str, const StringTaint& taint)
 JS_PUBLIC_API void
 JS_MarkTaintSource(JSContext* cx, JSString* str, const TaintOperation& op)
 {
-  if (str->isTainted()) {
-    JS_SetStringTaint(cx, str, StringTaint(0, str->length(), op));
+  if (!str->isTainted()) {
+    JS_SetStringTaint(cx, str, SafeStringTaint(0, str->length(), op));
   } else {
     str->taint().overlay(0, str->length(), op);
   }