I'd recommend not letting them do that.
The CSS model used here is a good one to follow.
there are CSS themes, but to become generally available
any submissions would have to be audited.
However, the user is free to insert a style
sheet of their own for themselves (which btw,
is just a crutch for old browsers; true CSS
enabled browsers should support user-defined
style sheets). UPDATE; Note of course this is
exploitable as well, but requires the explicit
action of the naive user, and there's not
much you can do about that. If a user were to create
a tainted sheet, make it publically available
and convince others to use it (maybe it
"looks cool")...
Did you come across this FAQ?
It is interesting to note that
the acronym CSS is also used for Cross Site Scripting.
As for IMG, etc. you might find (~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not? helpful, or frightening.
--
perl -pew "s/\b;([mnst])/'$1/g"