So, for a new community site I am working on, we are considering allowing the users to write their own CSS. Perhaps with a text area in their profile page. Then that becomes the CSS that the website sends their browser whenever they browse the site. This looks like a fairly obvious and cheap customization but I’ve never seen it done.
Assuming we add some safeguards to prevent users from irreparably messing up their own page, is there anything that can go wrong from a site-wide perspective? Perhaps wrt security?
OWASP has some good advice about escaping untrusted CSS that you might like to consider.
I recommend offering users some general appearance preferences (font size, style, and colour etc.) rather than giving them carte blanche. This has the advantage of being more accessible to less technical users, as well as resulting in fewer likely requests for tech support (don’t forget to include a ‘reset styles’ button so they can undo their changes without emailing you).
Any user who is comfortable enough to override site-wide CSS styles is likely to be aware of browser-based site-specific stylesheets, so I don’t see any real advantage in offering a blank styles box like the one you describe; if users were styling their pages to theme them for other visitors (e.g. tumblr) it would make much more sense.