How to escape custom css?
I'm creating a WordPress theme in which I've allowed users to add some custom css from the Theme Options. This css code then directly gets echoed out in the head section of the page, with the following code:
add_action('wp_head', 'theme_dynamic_css');
function theme_dynamic_css(){
  global $my_theme_options;
  $custom_css = '';
  if (isset($my_theme_options['custom-css'])) {
    $custom_css .= $my_theme_options['custom-css']."\r\n";
  }
  echo 'style id="my-theme-custom-css"'.$custom_css.'/style';
}
Should I be using esc_html(); here? At first I assumed if the code is between the style tags, then it shouldn't be a problem, but now I'm confused.
Please help.
Topic theme-options sanitization escaping security Wordpress
Category Web