Twenty Seventeen: sanitize output of twentyseventeen_custom_colors_css()

[viralsampat]

Hello Team,

I have checked WordPress fork and found PHPCS Warning in functions.php file for "TwentySeventeen" theme.

i.e

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'twentyseventeen_custom_colors_css'.

<style type="text/css" id="custom-theme-colors" <?php echo $customize_preview_data_hue; ?>>
	<?php echo twentyseventeen_custom_colors_css(); ?>
</style>

Note: I have checked the core trac and found the similar issue. #62787

Thanks,

[viralsampat]

Hello Team,

I have added its PR, Please review it: PR​https://github.com/WordPress/wordpress-develop/pull/8108

Thanks,

Trac ticket: https://core.trac.wordpress.org/ticket/62798

This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.

The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.

Thanks,

Trac ticket: https://core.trac.wordpress.org/ticket/62798

This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.

The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.

Thanks,