It's possible to include a </style> in a stylesheet considered valid by css-sanitizer and TemplateStyles. Anything after that in the stylesheet will be interpreted as raw HTML.
Specifically, I found two ways to do it: content: "</style>" (or anything else that allows a string) and grid-area: \< / style 1 / \>; (which outputs as grid-area:\</style 1/\>, close enough for browsers to accept).
I'll upload patches momentarily to fix this in two ways:
- In css-sanitizer, use numeric escapes for < and > in strings and identifiers.
- In TempateStyles, reject anything containing the string </style.