I'm doing pre-parsing of HTML strings before dispaying them to page to cut off forbidden tags. To do this I'm creating element in the DOM but do not add it into main page to not affect page layout, assigning innerHTML to this string and after that processing new DOM tree to delete forbidden elements. After that I'm compressing element content into HTML string and inserting it into page. This works ok with all the browsers but in Webkit I got an error - if HTML string contains <STYLE> tag - CSS rules from that element are applied to main page even if temporary element is not in the main page DOM. See attached example.
Created attachment 28354 [details] example to reproduce an error
Workaround - use createElementNS to create element in different namespace - in this case STYLE won't affect local document.
same problem with <LINK> element - for LINK rel="stylesheet" corresponding CSS file is loaded and applied to the page
Created attachment 28357 [details] XSS
attached new file - XSS attack using this bug.