I did a setup of scssphp in my framework and made it working with multiple files. Below is the code of how it output itself as text/css.
<?php header('Content-type: text/css');
ob_clean();
function scss_css() {
require "../SCSS-PHP/scss.inc.php";
$import_way = "../styles/scss/";
$compression = "scss_formatter_compressed";
$compiler_script = '@import "demo.scss"';
$scss = new scssc();
$scss->setImportPaths($import_way);
$scss->setFormatter($compression);
echo $scss->compile($compiler_script);
}
scss_css();
die();
?>
The call i used in html is:
<link rel="stylesheet" href="binder/loader.scss.php">
I would like to know if echo is safe for my future working scss setup. Can there be any attack on such a file output and any other suggestions to make it better?