What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert their modifications into its CSS file.
Inputting a CSS in the way you describe is tricky as CSS is not general html and can not be escaped in the same way, but it is also impossible to sanitize and remove potentially insecure code from it. What you end up with is a situation in which you have to output the user’s CSS “as is” in order to be sure you do not break it, but then in the place where such a feature is most useful – multisite, it is too insecure to be used.
Related Posts:
- Do we need to escape data that we receive from theme options?
- What’s the difference between esc_* functions?
- How Could I sanitize the receive data from this code
- Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
- how to sanitizing $_POST with the correct way?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- How safe / sanitized is wp_insert_posts()?
- When to use esc_html and when to use sanitize_text_field?
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- What is the difference between esc_html filter vs attribute_escape filter?
- What to use instead of wp_kses() in user output
- is_email() VS sanitize_email()
- Which KSES should be used and when?
- Do Cookies Need to be Sanatized Before Being Saved?
- Do you need to escape hard coded plain text?
- Do I need to use the esc_html() function on hard coded links?
- Sanitizing comments or escaping comment_text()
- Is default functions like update_post_meta safe to use user inputs?
- vs WordPress Security
- Something is unescaping all html entities before output to browser [closed]
- Is wp_kses the right approach in sanitizing this string?
- Is it sensible to worry about sanitizing admin input in plugin custom CSS?
- What is the safe way to print tracking code / pixel code before tag or tag
- Does meta-data need to be sanitized?
- should I escape a literal url added in functions.php
- How WordPress sanitizes post content on save? Or it doesn’t?
- esc_url, esc_url_raw or sanitize_url?
- What’s the best approach for generating a new API key?
- Simplest two-way encryption using PHP
- How does the SQL injection from the “Bobby Tables” XKCD comic work?
- how fix “this certificate cannot be verified up to a trusted certification authority”
- How can bcrypt have built-in salts?
- Getting a List of Currently Available Roles on a WordPress Site?
- Why are passwords exportable as plain text in WordPress?
- Is there a way to force ssl on certain pages
- What is the purpose of having a token in cookies?
- How to remove “Connection Information” requirement on localhost install of WP on MACOSX
- How to sanitize select box values in post meta?
- WordPress “Site Health Status” trust it or myself for its security advice?
- Is WP vulnerable when updating plugins or themes?
- Secure Validation of wp_editor in Theme Options
- Garbage in beginning of wp-config.php – was this WP installation compromised?
- What is the relationship between cURL, WordPress and cacert.pem?
- Is it necessary to use esc_url with template tags such as get_permalink?
- How to prevent bot or someone to modify any file automatically?
- HTTP Security Headers in wp-config
- Staging Site: Made Public – Security Questions
- Best Way to Enable Two Step Authentication
- Must I serialize/sanitize/escape array data before using set_transient?
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Securing a multi-user permission structure
- No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
- Securing wp-config leads to sensitive information leak on wp-settings
- Should you escape hardcoded URLs?
- How to sanitize user input?
- Suspicious Files
- What’s the point of forbidding access to wp-config.php?
- wp-json and what data does it give away?
- Is is necessary to use security plugin for wordpress? [closed]
- neccessary?
- Client side HTTP parameter pollution (reflected)
- Local file inclusion critical security issue [closed]
- my wordpress website is suspended [closed]
- XMLRPC slow and weird websites/services
- iTheme Security always lockout my account [closed]
- WordPress Front end Form – Enable to Submit PHP Codes
- Getting error to display radio button value in General Settings page
- Is it safe use wp_editor in public contact form
- Is WordPress MultiSite secure & how much can it scale? [closed]
- How to find exploited wordpress plugin [closed]
- How safe is current_user_can()?
- Is it safe to give wordpress directories ownership to www-data?
- Why does WordPress change a file’s permissions?
- Side effects of disallowing *.php requests in production environment?
- Why would you use esc_attr() on internal functions?
- Outgoing new connection to linked Websites – why?
- Input sanitation
- My Site keeps crashing due to the wp-confg file being deleted
- Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
- Replace domain in database
- What highest security brake with wordpress and static files?
- How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
- Spam in WordPress root folder
- echo cutom css code to WordPress page template file ? is this safe?
- HSTS header not being added correctly
- Cannot access wp admin of WordPress website (security plugin issue) [closed]
- Why are the latest visits to my website originating from my own website?
- Escaping and sanitization
- Secure Multiple WordPress Installations on shared hosting
- How to display post meta data in secure manner
- How do I hide WordPress users from security scanning?
- Background Updates Not Happening
- wp-config.php file and code injection
- FORCE_SSL_ADMIN affecting subdomains
- What is the best security $_POST method?
- Bank account number and Sort Code in a form [closed]
- Move data from wp-config to another file
- Heartbleed: What is it and what are options to mitigate it?
- OpenVPN vs. IPsec – Pros and cons, what to use?
- Escaping data from database (users table) is necessary?