<?php

[0] Fix | Delete

/**

[1] Fix | Delete

* Custom CSS

[2] Fix | Delete

*

[3] Fix | Delete

* @package WordPress

[4] Fix | Delete

* @subpackage Twenty_Twenty_One

[5] Fix | Delete

* @since Twenty Twenty-One 1.0

[6] Fix | Delete

*/

[7] Fix | Delete

[8] Fix | Delete

/**

[9] Fix | Delete

* Generate CSS.

[10] Fix | Delete

*

[11] Fix | Delete

* @since Twenty Twenty-One 1.0

[12] Fix | Delete

*

[13] Fix | Delete

* @param string $selector The CSS selector.

[14] Fix | Delete

* @param string $style The CSS style.

[15] Fix | Delete

* @param string $value The CSS value.

[16] Fix | Delete

* @param string $prefix The CSS prefix.

[17] Fix | Delete

* @param string $suffix The CSS suffix.

[18] Fix | Delete

* @param bool $echo Echo the styles.

[19] Fix | Delete

*

[20] Fix | Delete

* @return string

[21] Fix | Delete

*/

[22] Fix | Delete

function twenty_twenty_one_generate_css( $selector, $style, $value, $prefix = '', $suffix = '', $echo = true ) {

[23] Fix | Delete

[24] Fix | Delete

// Bail early if there is no $selector elements or properties and $value.

[25] Fix | Delete

if ( ! $value || ! $selector ) {

[26] Fix | Delete

return '';

[27] Fix | Delete

}

[28] Fix | Delete

[29] Fix | Delete

$css = sprintf( '%s { %s: %s; }', $selector, $style, $prefix . $value . $suffix );

[30] Fix | Delete

[31] Fix | Delete

if ( $echo ) {

[32] Fix | Delete

/**

[33] Fix | Delete

* Note to reviewers: $css contains auto-generated CSS.

[34] Fix | Delete

* It is included inside <style> tags and can only be interpreted as CSS on the browser.

[35] Fix | Delete

* Using wp_strip_all_tags() here is sufficient escaping to avoid

[36] Fix | Delete

* malicious attempts to close </style> and open a <script>.

[37] Fix | Delete

*/

[38] Fix | Delete

echo wp_strip_all_tags( $css ); // phpcs:ignore WordPress.Security.EscapeOutput

[39] Fix | Delete

}

[40] Fix | Delete

return $css;

[41] Fix | Delete

}

[42] Fix | Delete

[43] Fix | Delete