Created attachment 358672 [details]
testcase demonstrating a bunch of escaping issues
Some of these are more than just escaping issues, like the IsPseudoElement function in nsCSSStyleRule.cpp, and perhaps bug 280443.
Bug 478160 and bug 481591 helped a few of the problems here, but there's still a good bit more to fix.
This can lead to security surprises for sites that sanitize user-generated CSS per spec and then use "elem.innerHTML += ...":