[Bug]: CSS sanitization coverage

## Describe the Bug

The current CSS sanitization rules cover several legacy injection vectors but do not block external resource loading through @import or remote url(...) references.

