I'd recommend not letting them do that. The CSS model used here is a good one to follow. there are CSS themes, but to become generally available any submissions would have to be audited. However, the user is free to insert a style sheet of their own for themselves (which btw, is just a crutch for old browsers; true CSS enabled browsers should support user-defined style sheets). UPDATE; Note of course this is exploitable as well, but requires the explicit action of the naive user, and there's not much you can do about that. If a user were to create a tainted sheet, make it publically available and convince others to use it (maybe it "looks cool")...

Did you come across this FAQ?

It is interesting to note that the acronym CSS is also used for Cross Site Scripting.

As for IMG, etc. you might find (~OT) WARNING: Live Ammo WAS: Re: Am I javascript or not? helpful, or frightening.

--
perl -pew "s/\b;([mnst])/'$1/g"

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.