Add escaping and sanitize the output of custom colors CSS into the Twentyseventeen theme.

[viralsampat-multidots]

Trac ticket: https://core.trac.wordpress.org/ticket/62798

This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.

The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.

Thanks,

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props mdviralsampat.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

• The Plugin and Theme Directories cannot be accessed within Playground.
• All changes will be lost when closing a tab with a Playground instance.
• All changes will be lost when refreshing the page.
• A fresh instance is created each time the link below is clicked.
• Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
  it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

[sabernhardt]

Please remove esc_attr() and the extra space after the semicolon.

I should note that the preference between wp_strip_all_tags() and esc_html() is still questionable, but let's keep wp_strip_all_tags() in this PR for now.

[sabernhardt]

Suggested change

	<style type="text/css" id="custom-theme-colors" <?php echo esc_attr( $customize_preview_data_hue ); ?>>
	<style type="text/css" id="custom-theme-colors" <?php echo $customize_preview_data_hue; ?>>

The $customize_preview_data_hue variable should not be escaped:
<style type="text/css" id="custom-theme-colors" data-hue=&quot;356&quot;>
It is either an empty string or an attribute/value pair like data-hue="356". The absint() function ensures that the hue value is always an integer.

---

I would also like to move the space before the data-hue attribute inside the $customize_preview_data_hue variable, and the type attribute is unnecessary, but those changes are not important.

	if ( is_customize_preview() ) {
		$customize_preview_data_hue = ' data-hue="' . $hue . '"';
	}
	?>
	<style id="custom-theme-colors"<?php echo $customize_preview_data_hue; ?>>

[sabernhardt]

Suggested change

	<?php echo wp_strip_all_tags( twentyseventeen_custom_colors_css() ); ?>
	<?php echo wp_strip_all_tags( twentyseventeen_custom_colors_css() ); ?>

The PHP coding standards GitHub action caught that there are two spaces after the semicolon when it should only be one.