I think Plurk could be risking it. Apparently, they now allow everyone, from sign up, to edit the CSS in their profiles. That’s wonderful for the honest people in the world. However it’s not a good thing for those more malicious.
In Plurk’s Styling Tutorial, they show users how to edit their CSS and even recommends Firebug. That’s fine, until at some point, they show a theme they made, I guess. It’s a good looking theme and all, however, it is troubling that the image for the background is on some external site!
If they’re allowing unfiltered backgrounds in their CSS, what other things could they allow? If I get an image into that space, I could track everyone who visits my page by using a simple PHP script, and some geolocation service. If I go farther than that, I might even inject some javascript into the CSS and hope for the best, I mean worst. So in other words, it’s an insignificant XSS vector. I don’t know if it is really, but it could be.