It is not secure. There are multiple ways to embed JavaScript in CSS such that it gets executed by at least some browsers. Google "XSS CSS" and look through the top hits.

Don't do this unless you're willing to do hardcore sanitization of the CSS, and to clean up the mess when your sanitization is inevitably bypassed and your users' cookies are compromised.

Allowing them to enter the CSS as free-form text (or upload a file) could lead to security problems. It might be safer to give them a Control Panel that lets them customize the look and feel (with limiations of course, it might be impossible to build a form that lets them customize EVERYthing), and implement the customization via CSS, while storing their settings as values in a structured set of database tables.

I think somebody answered this question before.

History lesson: myspace allowed custom CSS and scripts. For those of you not hanging around on the web in 2003 or so, this was a major security threat. Later on, the mass of user generated CSS which had been a selling point became a major detriment to the platform as many changes and improvements could not be made as they effectively had created a public API for their CSS hooks.

So it is a really, really bad idea to let users do CSS.