[Ur] Supporting 'style' attribute securely

[Adam Chlipala]

OK, here's a summary of my current plan for how to implement this 
support.  Feedback remains welcome.

There are two main problems to be addressed:
1) Prevent code injection, where strings (especially those coming 
directly from users) are implicitly interpreted as code.
2) Prevent anti-modular code patterns, such as, in a library, absolute 
positioning to move some content to a part of the page where the author 
of the client code doesn't expect it to appear.

Problem 2 is harder to address without imposing onerous programming 
restrictions, so my plan is to start by addressing only problem 1.

Specifically, a simple type of abstract syntax for CSS style code will 
be introduced.  A style is a list of key-value pairs.  A key is a string 
naming a style, allowing only characters from a small whitelist.  A 
value is a list of subvalues, each of which is noted with one of the 
primitive value syntax forms from the CSS 2.1 spec.  The URL syntax 
deserves special mention, since it will interpreted to ensure that all 
URL's meet the application-wide URL policy.

In places where the CSS spec allows escaping of certain fancier 
characters, I will instead rule those characters out, at least at first.

As with the several other languages already embedded in Ur/Web, the 
compiler will do desugaring of the usual CSS syntax into calls to 
combinators from the standard library; but programmers will remain free 
to work with the combinators directly.