In reference to this question, I was researching whether or not there would be any security risks in letting users add their own stylesheets.
He brings up a scenario in which a dev might use positions to replace the search and password field. If however, the custom CSS was only seen by the user that added the styles, then are there any other risks?
Even with the expression()? Because I do not know why someone would try to XSS themselves.
Try not to see security from the developer's point of view, but instead, follow a set of best practices. For example, you will be accepting input from a user, in the form of a file upload or text input, sanitize the content nonetheless, look at the answers to this question for tips on how to sanitize user defined css.
I would not assume that the css may only come from the user who will see it, this is most likely the current requirement, but I would not be surprised if in the future, a series of changes would allow this restriction to be bypassed.
Also, depending on the implementation (for example if you serve a url to a css file) someone may be tempted to try to just change all the urls for a malicious one (http://good-site.com/user1.css --> http://bad-site.com/?inject=user1.css), think XSS, injection, etc...
In short, my advice is to implement all security measures available given your project constraints.
Keep in mind that the person who is logged into the site may not be the person who owns the account. If someone gains control of a user's account, then they can change the style sheet to attack the user the next time they log in. Or, if this person finds a way to change another user's style sheet through an exploit, they can attack all users of your site at once!
You'd be correct to assume that these vulnerabilities are dangerous by themselves. However, vulnerabilities in large projects tend to snowball, and you shouldn't make it easy for someone to attack others from a small foothold. Make them work for it! Close any security holes you find, no matter how minor.
