diff --git a/NEWS b/NEWS
index c0f131e8..5a3dfdfa 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 3.1.1, unknown release date
 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength.
 - Disable percent height/width attributes for img
+- AttrValidator operations are now atomic; updates to attributes are not
+  manifest in token until end of operations. This prevents naughty internal
+  code from directly modifying CurrentToken when they're not supposed to.
 . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
   handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
   this class.
diff --git a/TODO b/TODO
index cc37aaec..a7f3736a 100644
--- a/TODO
+++ b/TODO
@@ -12,9 +12,8 @@ amount of effort to implement, it may get endlessly delayed. Do not be
 afraid to cast your vote for the next feature to be implemented!
 
 - Implement validation for query and for fragment
-- Prevent percentages from being used in width/height attribute in images
-- Maintain old attribute data in tokens (configurable?)
-- Lazy update of token when validating attributes?
+- Ability to fully turn off imagecrash fixes (attribute and CSS will require
+  two separate directives due to our architecture.)
 - Investigate how early internal structures can be accessed; this would
   prevent structures from being parsed and serialized multiple times.
 
diff --git a/library/HTMLPurifier/AttrValidator.php b/library/HTMLPurifier/AttrValidator.php
index 3b2bd4b3..ba4510e3 100644
--- a/library/HTMLPurifier/AttrValidator.php
+++ b/library/HTMLPurifier/AttrValidator.php
@@ -43,8 +43,8 @@ class HTMLPurifier_AttrValidator
         // DEFINITION CALL
         $d_defs = $definition->info_global_attr;
         
-        // reference attributes for easy manipulation
-        $attr =& $token->attr;
+        // don't update token until the very end, to ensure an atomic update
+        $attr = $token->attr;
         
         // do global transformations (pre)
         // nothing currently utilizes this
@@ -139,6 +139,8 @@ class HTMLPurifier_AttrValidator
             if ($e && ($attr != $o)) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
         }
         
+        $token->attr = $attr;
+        
         // destroy CurrentToken if we made it ourselves
         if (!$current_token) $context->destroy('CurrentToken');