You are right -- the 'safe' configuration does not secure this issue, and many people are unlikely to go through what exactly 'safe' implies to be aware of this. I will alter the documentation to make this clearer.
htmLawed does not implement CSS Tidy. Following is a suggested but not tested code snippet on how that might be used through 'hook_tag':
// Include CSS Tidy and define a function to use it
include_once('.../class.css.tidy.php');
function css_tidy($element, $attribute_array=0){
// if second argument is not received, it means a closing tag is being handled
if(is_numeric($attribute_array)){
return "</$element>";
}
if(isset($attribute_array['style'])){
// Do the CSS Tidy filtering of 'style' value
$value = $attribute_array['style'];
... // use appropriate code on $value for CSS Tidy
// Assign 'style' the filtered value
$attribute_array['style'] = $value;
}
// Build the attributes string
$attributes = '';
foreach($attribute_array as $k=>$v){
$attributes .= " {$k}=\"{$v}\"";
}
// Return the opening tag with attributes
static $empty_elements = array('area'=>1, 'br'=>1, 'col'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'param'=>1);
return "<{$element}{$attributes}". (isset($empty_elements[$element]) ? ' /' : ''). '>';
}
// htmLawed config. points to above function
$config = array( ..., 'hook_tag'=>'css_tidy' , ...);
// htmLawed filtering
$out = htmLawed($in, $config...);