Derky pointed out that variables read from style.cfg are used in HTML as is. Now, with a malicious style, you probably have bigger problems. However, when the style name contains malicious HTML, it is persisted into the log table when installing the style which may go unnoticed by the admin.
This can be easily prevented by htmlspecialchar()ing data that is read from the files.