Some websites generate CSS files in runtime based on request parameters. Sometimes parameter may be printed in CSS without proper escaping. You should never allow that as it will lead to possible session hijacking and XSS attacks.

So this is how you can inject JavaScript into CSS file or inline CSS:

li {
  xss:expression(alert('XSS'));
}

This is all you have to do!

How to prevent XSS in CSS files

All you have to do is validate anything before you print it out in dynamically generated CSS file and you will be safe.

I guess its yet another web security eye opener isn't it?