Using esc_html with HTML purifier and CSSTidy: Overkill?

Currently my text area input (which accepts custom CSS input from a user) in the WordPress theme options panel are sanitized by esc_html function in WordPress http://codex.wordpress.org/Function_Reference/esc_html

However I am thinking a secure approach, so I would like to add HTML purifier and CSSTidy like it’s illustrated here: https://stackoverflow.com/questions/3241616/sanitize-user-defined-css-in-php

Read More

Is this necessary? Or WordPress core function like esc_html already uses HTML purifier so this is not anymore needed. Please advise. Thanks.

Related posts

Leave a Reply

1 comment

  1. If you worry only about the admin panel then esc_html will be enough as it will convert every “<” into &lt; eliminating the possibility of having a valid HTML tags inserted.

    But if you add the CSS to the generated HTML you might need to strip any HTML tag it may contain by using the wp_kses function

    $css = wp_kses($css,array(),array());
    

    should strip all possible HTML from the CSS.

    But stripping is not needed at all if the user has unfiltered_html capability, usually the admin of a stand alone site.