The sanitizer rejects any inline CSS with "url(" to prevent web bugs. [1] has a proposed update to attr() which would allow to circumvent this check:
<div title="https://example.org/image.png" style="background-image: attr(title url);"></div>
creates a span with an URL as title. The inline CSS then adds an background image defined by that title interpreted as URL, i.e. shows an image from any domain.
According to [2] no browser currently implements this syntax ([3] claims it is implemented in IE9, which I could not reproduce, and is wrong according to [4]). But once this syntax gets implemented by some browser, the sanitizer should reject /attr\s*\([^),]+url/ (I'm not entirely sure about this regexp, but something like that should do the job).
[1]: https://www.w3.org/TR/css3-values/#attr-notation
[2]: https://developer.mozilla.org/en/docs/Web/CSS/attr#Browser_Compatibility
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=435426#c2
[4]: http://msdn.microsoft.com/en-us/library/ie/ms537660%28v=vs.85%29.aspx#attr
Version: unspecified
Severity: normal