Not. Since this example illustrates perfectly, Javascript (or any script) has no place in CSS, so XSS (the second S for "Scripting") is not possible. CSS should be declarative only, and when it is executed in accordance with W3 standards. Dynamic expressions are now executed with calc , which can evaluate only simple mathematical expressions without resorting to the JS engine.
expression was an IE-only hack to facilitate specific functions until W3 came up with an alternative. When calc expression deprecated. Starting with IE11, expression no longer supported in the Internet zone . It was announced in 2008 that it would end this way, in particular, citing “reduce attack surface” as one of the main reasons. In older versions than IE11, it has been supported for quite some time only in quirks mode and in IE7 emulation mode.
To summarize: CSS does not have a place for Javascript and, as such, cannot be attacked with XSS if implemented correctly, as in every current browser.