Adding one comment to clarify - We've determined that this issue may not be specific to content fragments. Rather, the Rich Text Editor feature used within content fragments may be what's triggering the XSS scan.

How would (relatively) non-technical users input their CSS to client libs? Wouldn't that require access to our AEM project? The HTML/CSS is being written by people that just have author access to the content fragments and is generally very diverse in contents.

I'm sorry, could you explain a bit more what you mean? We aren't using any internal CSS referencing, unless I'm misunderstanding your question. The stylesheet is all inline.

Edit - it double posted my comment, apologies.

I am trying to allow users to publish HTML and CSS content in content fragments. The users are finding that important pieces of their CSS/HTML is being stripped out, in particular media queries/responsive codes.Does anyone have any guidance for writing AntiSamy config.xml's that will pass the CSS (a...