Currently my text area input (which accepts custom CSS input from a user) in the WordPress theme options panel are sanitized by esc_html function in WordPress http://codex.wordpress.org/Function_Reference/esc_html
However I am thinking a secure approach, so I would like to add HTML purifier and CSSTidy like it’s illustrated here: https://stackoverflow.com/questions/3241616/sanitize-user-defined-css-in-php
Is this necessary? Or WordPress core function like esc_html already uses HTML purifier so this is not anymore needed. Please advise. Thanks.
1 Answer
If you worry only about the admin panel then esc_html will be enough as it will convert every “<” into < eliminating the possibility of having a valid HTML tags inserted.
But if you add the CSS to the generated HTML you might need to strip any HTML tag it may contain by using the wp_kses function
$css = wp_kses($css,array(),array());
should strip all possible HTML from the CSS.
But stripping is not needed at all if the user has unfiltered_html capability, usually the admin of a stand alone site.