i have web app generates html-code. user can enter css-code, automatically inserted inside of <style></style> tag.
now malicious user enter </style><script>maliciousfunction();</script><style> here. if escape whole input, valid css escaped (like braces example) , style doesn't work anymore.
what best solution problem?
escaping not best option, these characters may naturally exist in css code ( < ' " : ; > ), believe better option using parser parse , clean code pure css leaving not-understandable mess behind, 1 found: https://github.com/tylerbrinks/excss
