I have a textarea for small css enhancements on the plugins page i output them directly to the head. My Question is how to sanitize the CSS
i have validation function registered for the options with register_setting. On the setting page right now $output['css'] = (string) $input['css']; is all what i am doing. Should i escape it somehow? What does word-press with it? Does it some escaping by itself for database? I could there some evil injection take place here.
For output i use the esc_attr() so far its working great but i just want to ask if there is something better for it. I just tested " characters they are obviously translated into " i just tested it and they seem not to break the CSS in firefox but of course this feels bad. So what should i use instead?
echo '<style type="text/css" media="screen">' . esc_attr( $css ) . '</style>';
Btw I don’t care about " you only don’t really need them in CSS or am i wrong you can do url(“bla”) or url(bla) and both work. Or is there a reason of support "s in CSS?
Update1:
After 2 answers, a lot if talk and thinking i still like to know if my thought process is so wrong to escape it twice now with wp_filter_nohtml_kses() on database input and on output. I would be be happy to get a answer from someone with security expertise.
Update2:
I just notices that wp_filter_nohtml_kses() would not allow > or < since they are CSS selectors maybe it isn’t the right filter after all. Maybe other things it filters that i might want in CSS?