3๐
โ
I know this is not exactly what you are hoping for, but the safest option is to allow the end users to save a copy of their template, render the html & css with all tags escaped. You can allow them to upload a picture of what the finished theme would look like.
Your second option is to allow them to upload anything but not display it on the website until you have audited what they have submitted.
๐คwlashell
Source:stackexchange.com