There are four things CSS can do that I think fall into different application security severity buckets but also, in my opinion the severity is inversely proportionalte to the complexity of the fix.
- CSS can pull remote images (which can lead to CSRF)
- CSS can overlay tags at any location (which can lead to inadvertant behavior like clicking on tags that you think take you to a login page but really take you to another site)
- CSS can alter the colors, borders, cursor, scrollbars, etc… (which can hurt your branding)
To stop overlays, you need to reject positioning tags. That can be a mess, but I believe it’s possible. Both absolute and relative positioning are risky. There maybe ways to wrap the information in tags to reduce the risk of positioning tags. See the comments in this old post where Dean Brettle and I discuss CSS wrapping for some ideas.
Lastly, to remove the rest of the branding issues, one trick is to throw the content in an iframe so it does not have access to outside the frame in question. Outside of that, wrapping may work for some things, but definitely not changing the scrollbars or something equally annoying.
Frankly, I’m not sure CSS has a place in user input mixed with your content unless you resign the page to being at least partially under the stylistic control of the user.