Duyun CSS Injection happens when a malicious party is able to alter your webpage by making use of user-defined styles. If your Rails application allows users to define a color which is then served back through CSS using a view:
<div style="background: <%= user.background_color %>;">
Then a user could supply a value which alters the page layout or content.
http://www.pebama.cz/index.php What are the risks?
A major risk of CSS injection is abuse of the content directive to rewrite a page’s content. Additionally, if a user is able to edit the style of forms seen by others, they could trick those users into putting personal data in the public.
The easiest way to prevent injection attacks is to validate user-provided values. Instead of giving end users the ability to set their own values, you can also give users a pre-defined list which you’ve already validated.