I have such an exact problem.
I can confirm that this is happening with Mac FF 3.6. It is only 3.6 pieces. It seems that even 3.7 alpha works, according to some people in the IRC, I tried this.
I can also confirm that the CDATA trick is not working; I have tried many options. I also tried different DOCTYPES etc.
I also have a terrible time reproducing it. This happens in about 30% of cases when I load a page, even if I follow the same steps every time w / r / t clears the cache, reloading FF, etc. It is definitely heisenbug. I cannot create a simple test case that works too. The trigger conditions for this should be quite complex.
However, I was fortunate enough to fix this. It seems that the key should kill src= . For example:
var someHTML = '<img src="' + item.url + '" />';
becomes:
var someHTML = '<img s'+'rc="' + item.url + '" />';
So far this seems to help, but for me it hasn't been long enough.
This problem is especially insidious in my case; I have a JSON string that has 20 URLs, and FF 3.6 requests all 20 URLs (which are dummy URLs but end up on the same page) in a split second and DoS server every time someone with FF 3.6 visits my site.
This is a very bad mistake in FF. I think that many webmasters have not yet discovered that this is happening, but I would suggest that this causes widespread problems.