How to escape custom css?

What you (and probably 99% of the theme authors) are trying to do is just wrong. Users should not be expected to know CSS to customize a theme, and if they do need to go into such a low level, the right thing for them to do is to create a child theme and insert their modifications into its CSS file.

Inputting a CSS in the way you describe is tricky as CSS is not general html and can not be escaped in the same way, but it is also impossible to sanitize and remove potentially insecure code from it. What you end up with is a situation in which you have to output the user’s CSS “as is” in order to be sure you do not break it, but then in the place where such a feature is most useful – multisite, it is too insecure to be used.

Related Posts:

  1. Do we need to escape data that we receive from theme options?
  2. What’s the difference between esc_* functions?
  3. How Could I sanitize the receive data from this code
  4. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  5. how to sanitizing $_POST with the correct way?
  6. Should I escape wordpress functions like the_title, the_excerpt, the_content
  7. How safe / sanitized is wp_insert_posts()?
  8. When to use esc_html and when to use sanitize_text_field?
  9. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  10. What is the difference between esc_html filter vs attribute_escape filter?
  11. What to use instead of wp_kses() in user output
  12. is_email() VS sanitize_email()
  13. Which KSES should be used and when?
  14. Do Cookies Need to be Sanatized Before Being Saved?
  15. Do you need to escape hard coded plain text?
  16. Do I need to use the esc_html() function on hard coded links?
  17. Sanitizing comments or escaping comment_text()
  18. Is default functions like update_post_meta safe to use user inputs?
  19. vs WordPress Security
  20. Something is unescaping all html entities before output to browser [closed]
  21. Is wp_kses the right approach in sanitizing this string?
  22. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  23. What is the safe way to print tracking code / pixel code before tag or tag
  24. Does meta-data need to be sanitized?
  25. should I escape a literal url added in functions.php
  26. How WordPress sanitizes post content on save? Or it doesn’t?
  27. esc_url, esc_url_raw or sanitize_url?
  28. What’s the best approach for generating a new API key?
  29. Simplest two-way encryption using PHP
  30. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  31. how fix “this certificate cannot be verified up to a trusted certification authority”
  32. How can bcrypt have built-in salts?
  33. Getting a List of Currently Available Roles on a WordPress Site?
  34. Why are passwords exportable as plain text in WordPress?
  35. Is there a way to force ssl on certain pages
  36. What is the purpose of having a token in cookies?
  37. How to remove “Connection Information” requirement on localhost install of WP on MACOSX
  38. How to sanitize select box values in post meta?
  39. WordPress “Site Health Status” trust it or myself for its security advice?
  40. Is WP vulnerable when updating plugins or themes?
  41. Secure Validation of wp_editor in Theme Options
  42. Garbage in beginning of wp-config.php – was this WP installation compromised?
  43. What is the relationship between cURL, WordPress and cacert.pem?
  44. Is it necessary to use esc_url with template tags such as get_permalink?
  45. How to prevent bot or someone to modify any file automatically?
  46. HTTP Security Headers in wp-config
  47. Staging Site: Made Public – Security Questions
  48. Best Way to Enable Two Step Authentication
  49. Must I serialize/sanitize/escape array data before using set_transient?
  50. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  51. Securing a multi-user permission structure
  52. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  53. Securing wp-config leads to sensitive information leak on wp-settings
  54. Should you escape hardcoded URLs?
  55. How to sanitize user input?
  56. Suspicious Files
  57. What’s the point of forbidding access to wp-config.php?
  58. wp-json and what data does it give away?
  59. Is is necessary to use security plugin for wordpress? [closed]
  60. neccessary?
  61. Client side HTTP parameter pollution (reflected)
  62. Local file inclusion critical security issue [closed]
  63. my wordpress website is suspended [closed]
  64. XMLRPC slow and weird websites/services
  65. iTheme Security always lockout my account [closed]
  66. WordPress Front end Form – Enable to Submit PHP Codes
  67. Getting error to display radio button value in General Settings page
  68. Is it safe use wp_editor in public contact form
  69. Is WordPress MultiSite secure & how much can it scale? [closed]
  70. How to find exploited wordpress plugin [closed]
  71. How safe is current_user_can()?
  72. Is it safe to give wordpress directories ownership to www-data?
  73. Why does WordPress change a file’s permissions?
  74. Side effects of disallowing *.php requests in production environment?
  75. Why would you use esc_attr() on internal functions?
  76. Outgoing new connection to linked Websites – why?
  77. Input sanitation
  78. My Site keeps crashing due to the wp-confg file being deleted
  79. Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
  80. Replace domain in database
  81. What highest security brake with wordpress and static files?
  82. How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
  83. Spam in WordPress root folder
  84. echo cutom css code to WordPress page template file ? is this safe?
  85. HSTS header not being added correctly
  86. Cannot access wp admin of WordPress website (security plugin issue) [closed]
  87. Why are the latest visits to my website originating from my own website?
  88. Escaping and sanitization
  89. Secure Multiple WordPress Installations on shared hosting
  90. How to display post meta data in secure manner
  91. How do I hide WordPress users from security scanning?
  92. Background Updates Not Happening
  93. wp-config.php file and code injection
  94. FORCE_SSL_ADMIN affecting subdomains
  95. What is the best security $_POST method?
  96. Bank account number and Sort Code in a form [closed]
  97. Move data from wp-config to another file
  98. Heartbleed: What is it and what are options to mitigate it?
  99. OpenVPN vs. IPsec – Pros and cons, what to use?
  100. Escaping data from database (users table) is necessary?

Leave a Comment