The attached html page demonstrates what I think is a bug in Safari. I have only tested with Safari 2.0.4, not the latest version of Webkit. Firefox and IE both treat the innerHTML of a <PRE> tag as regular html, but Safari seems to group it with style, script, and other tags that contain CDATA in some cases. Strangely, Firefox and IE treat XMP and PLAINTEXT elements' content as CDATA but Safari does not. The XMP, LISTING, and PLAINTEXT tags are deprecated, but the PRE tag is not, and its content should not be treated as CDATA. If it is, then the following naive code: document.writeln(myPreTag.innerHTML); could cause arbitrary script to execute by injecting an onmouseover handler. Actual Behavior: The right column of row 6 of the attached page renders as <!DOCTYPE foo PUBLIC "foo"> <foo /> Expected Behavior: It should render as <DOCTYPE foo PUBLIC "foo"> <foo /> though escape other characters, such as the double quotes, would be acceptable too.
Sounds like a duplicate of Bug 12735.
Created attachment 13134 [details] html testcase that demonstrates the behavior of innerHTML with various types of elements and text content. Requires javascript. See row 6.
*** This bug has been marked as a duplicate of 12735 ***
Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.