I am currently using the owasp java library on a backend service in order to sanitize HTML sent from the client. The owasp java library has a CSS whitelist of css rules that it will allow inside of any style tag inside of html elements. You can find that whitelist here.
One thing that I noticed about this whitelist is that the
Because then the other white-listed styles wouldn't work due to the element not being displayed at all
displayhas a lot of weird edge cases that affect layout in weird ways.
inline-blockare likely safe in most contexts.
fixedis probably safe in none.
tableand others are probably dodgy since there may be ways to break visual containment.
inline blockcan break visual containment for example with a policy that only allows inline tags when the embedder fixes the
widthof the container and doesn't hide