Here, I don't see the point. templates/misc/theming.php is meant to output CSS code. Why esc_attr() would be relevant in such context?

@tomjn can you clarify?

Sanitising and escaping aren't the same, sanitisation aims to clean up data, escaping is aimed at securing

For example, esc_attr will encode opening and closing brackets, making it safe to for viewing, whereas sanitize_html_class strips out characters.

In the case of CSS, esc_html would also work.

For reference, sanitize_html_class simply passes 2 regular expressions over the value to constrain the characters to a smaller subset:

https://core.trac.wordpress.org/browser/tags/4.9.7/src/wp-includes/formatting.php#L2073

It also passes it through a filter, which can be used to taint the value further

@tomjn I think I see your point. I'm going to replace the sanitize_* with esc_html in the templates used to generate CSS (i.e. templates/misc/theming.php and templates/misc/smallscreens.php).

Still, I have question regarding what is done in templates/misc/smallscreens.php. In this file, I use the following pattern:

<?php echo esc_html( $model->getAComplexCSSSelector() ); ?> {
   /* Some instruction */
}

Here, what is returned by $model->getAComplexCSSSelector() can be any valid CSS selector (see https://www.w3schools.com/cssref/css_selectors.asp). Can be for instance .some-css-class1 > .some-css-class2 or [someattribute="someValue"]. Obviously the esc_html(..) function would not have the expected effect with these two examples.

Hopefully, these special cases do not actually happen in RPB Chessboard. However, how should we handle properly these cases if we have to?

Fix available in 5.3.2.