Fuzzers have found a bunch of bugs related to <use> and <script> in SVG. I think the main problem is that <use> tags are allowed to refer to IDs that occur later in the file. For example: <svg> <g> <use xlink:href="#test"/> <rect id="test"> <script> document.body.innerHTML = "PASS"; </script> The <use> tag constructs its shadow DOM the first time recalcStyle() is called. In this example, that will be when the parser yields, which occurs after reaching </script>, but before executing the script. By this point, the <script> has been constructed and inserted in the tree, but not executed. This leads to a situation where the script block will execute twice: once in the clone and once in the original. This seems wrong. Also, there may be other tags after the </script> that haven't yet been parsed, but ought to have been deep cloned. It seems that the shadow DOM should be created when the <use> tag is constructed and you shouldn't be allowed to refer to something later in the document. Briefly reading the spec, it always talks about <use>'ing IDs that have been already declared and doesn't seem to cover the above case.
Shadow tree creation time changed, marking as duplicate of bug 78902. *** This bug has been marked as a duplicate of bug 78902 ***