What kind of HTMLPurifier settings do you use to purify CSS?

Question

I'm building an application which lets users input custom CSS for their own profiles (kinda like MySpace, Friendster, or Blogger).

The problem is I'm having a hard time finding a way to purify XSS attacks through CSS. I tried using HTMLPurifier, but it doesn't work. One example:

html {
    expression: alert('xss');
}

body {
    background-color: #FFF;
}

This would be allowed by HTMLPurifier.

Are there any settings I need to use for HTMLPurifier to make this invalid?

Thanks!

Update
Is expression: the only way to push an exploit via CSS? If so, would a regular expression be more efficient than using HTMLPurifier?

Answer 1

HTML Purifier operates on HTML input, not CSS. That being said, you can probably trick it to work on CSS style sheets by wrapping the style sheet in style tags and turning on %Filter.ExtractStyleBlocks. You'll need CSS Tidy installed.

Update. No. There are many ways to deliver CSS payloads and searching for expression is not enough.

Answer 2

$str = preg_replace("/expression[\s:\]+/", '', $str) would remove the expression string.

In my oppinnion it may be better to simply "ban" or otherwise mark the user that tries to input this stuff to your site. Dont know about other ways to break a browser by using CSS, maybe @Edward can help here:)