Fuzzers have found a bunch of bugs related to <use> and <script> in SVG. I think the main problem is that <use> tags are allowed to refer to IDs that occur later in the file. For example:

<svg>
<g>
<use xlink:href="#test"/>
<rect id="test">
<script>
document.body.innerHTML = "PASS";
</script>

The <use> tag constructs its shadow DOM the first time recalcStyle() is called. In this example, that will be when the parser yields, which occurs after reaching </script>, but before executing the script. By this point, the <script> has been constructed and inserted in the tree, but not executed. This leads to a situation where the script block will execute twice: once in the clone and once in the original. This seems wrong. Also, there may be other tags after the </script> that haven't yet been parsed, but ought to have been deep cloned.

It seems that the shadow DOM should be created when the <use> tag is constructed and you shouldn't be allowed to refer to something later in the document. Briefly reading the spec, it always talks about <use>'ing IDs that have been already declared and doesn't seem to cover the above case.