Escape several vars on Admin Classes

2021-11-05 14:05:55 +02:00
parent 8c5f7f4dd8
commit 0739ef53dc
8 changed files with 16 additions and 16 deletions
--- a/includes/admin/post-types/class-sp-admin-cpt-column.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-column.php
@@ -58,7 +58,7 @@ class SP_Admin_CPT_Column extends SP_Admin_CPT {
 		switch ( $column ):
 			case 'sp_key':
 				global $post;
-				echo $post->post_name;
+				echo esc_attr( $post->post_name );
 				break;
 			case 'sp_equation':
 				echo sp_get_post_equation( $post_id );
--- a/includes/admin/post-types/class-sp-admin-cpt-event.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-event.php
@@ -218,9 +218,9 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 									$team_results = implode( ' | ', $team_results );
 								endif;

-								echo '<a class="sp-result sp-tip" tabindex="10" title="' . $team_results . '" data-team="' . $team_id . '" href="#">' . ( $team_result == '' ? '-' : apply_filters( 'sportspress_event_team_result_admin', $team_result, $post_id, $team_id ) ) . '</a>';
-								echo '<input type="text" tabindex="10" class="sp-edit-result hidden small-text" data-team="' . $team_id . '" data-key="' . $main_result . '" value="' . $team_result . '"> ';
-								echo $team->post_title;
+								echo '<a class="sp-result sp-tip" tabindex="10" title="' . esc_attr( $team_results ) . '" data-team="' . esc_attr( $team_id ) . '" href="#">' . ( $team_result == '' ? '-' : apply_filters( 'sportspress_event_team_result_admin', $team_result, $post_id, $team_id ) ) . '</a>';
+								echo '<input type="text" tabindex="10" class="sp-edit-result hidden small-text" data-team="' . esc_attr( $team_id ) . '" data-key="' . esc_attr( $main_result ) . '" value="' . esc_attr( $team_result ) . '"> ';
+								echo esc_attr( $team->post_title );
 								echo '<br>';
 							endif;
 						endforeach;
@@ -248,7 +248,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 			case 'sp_day':
 				$day = get_post_meta ( $post_id, 'sp_day', true );
 				if ( '' === $day ) $day = __( 'Default', 'sportspress' );
-				echo $day;
+				echo esc_attr( $day );
 				break;
 		endswitch;
 	}
--- a/includes/admin/post-types/class-sp-admin-cpt-list.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-list.php
@@ -85,7 +85,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
 					foreach( $teams as $team_id ):
 						if ( ! $team_id ) continue;
 						$team = get_post( $team_id );
-						if ( $team ) echo $team->post_title . '<br>';
+						if ( $team ) echo esc_attr( $team->post_title ) . '<br>';
 					endforeach;
 				endif;
 				break;
--- a/includes/admin/post-types/class-sp-admin-cpt-metric.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-metric.php
@@ -55,7 +55,7 @@ class SP_Admin_CPT_Metric extends SP_Admin_CPT {
 		switch ( $column ):
 			case 'sp_key':
 				global $post;
-				echo $post->post_name;
+				echo esc_attr( $post->post_name );
 				break;
 			case 'sp_description':
 				global $post;
--- a/includes/admin/post-types/class-sp-admin-cpt-outcome.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-outcome.php
@@ -56,7 +56,7 @@ class SP_Admin_CPT_Outcome extends SP_Admin_CPT {
 		switch ( $column ):
 			case 'sp_key':
 				global $post;
-				echo $post->post_name;
+				echo esc_attr( $post->post_name );
 				break;
 			case 'sp_abbreviation':
 				global $post;
--- a/includes/admin/post-types/class-sp-admin-cpt-performance.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-performance.php
@@ -61,7 +61,7 @@ class SP_Admin_CPT_Performance extends SP_Admin_CPT {
 				break;
 			case 'sp_key':
 				global $post;
-				echo $post->post_name;
+				echo esc_attr( $post->post_name );
 				break;
 			case 'sp_section':
 				global $post;
--- a/includes/admin/post-types/class-sp-admin-cpt-player.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-player.php
@@ -110,7 +110,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 						if ( ! $team_id ) continue;
 						$team = get_post( $team_id );
 						if ( $team ):
-							echo $team->post_title;
+							echo esc_attr( $team->post_title );
 							if ( in_array( $team_id, $current_teams ) ):
 								echo '<span class="dashicons dashicons-yes" title="' . __( 'Current Team', 'sportspress' ) . '"></span>';
 							endif;
@@ -257,14 +257,14 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 				<input type="hidden" name="sp_current_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
-					<li><label class="selectit"><input value="<?php echo $team->ID; ?>" type="checkbox" name="sp_current_team[]"> <?php echo $team->post_title; ?></label></li>
+					<li><label class="selectit"><input value="<?php echo esc_attr( $team->ID ); ?>" type="checkbox" name="sp_current_team[]"> <?php echo esc_attr( $team->post_title ); ?></label></li>
 					<?php } ?>
 				</ul>
 				<span class="title inline-edit-categories-label"><?php _e( 'Past Teams', 'sportspress' ); ?></span>
 				<input type="hidden" name="sp_past_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
-					<li><label class="selectit"><input value="<?php echo $team->ID; ?>" type="checkbox" name="sp_past_team[]"> <?php echo $team->post_title; ?></label></li>
+					<li><label class="selectit"><input value="<?php echo esc_attr( $team->ID ); ?>" type="checkbox" name="sp_past_team[]"> <?php echo esc_attr( $team->post_title ); ?></label></li>
 					<?php } ?>
 				</ul>
 			</div>
@@ -326,14 +326,14 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
 				<input type="hidden" name="sp_current_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
-					<li><label class="selectit"><input value="<?php echo $team->ID; ?>" type="checkbox" name="sp_current_team[]"> <?php echo $team->post_title; ?></label></li>
+					<li><label class="selectit"><input value="<?php echo esc_attr( $team->ID ); ?>" type="checkbox" name="sp_current_team[]"> <?php echo esc_attr( $team->post_title ); ?></label></li>
 					<?php } ?>
 				</ul>
 				<span class="title inline-edit-categories-label"><?php _e( 'Past Teams', 'sportspress' ); ?></span>
 				<input type="hidden" name="sp_past_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
-					<li><label class="selectit"><input value="<?php echo $team->ID; ?>" type="checkbox" name="sp_past_team[]"> <?php echo $team->post_title; ?></label></li>
+					<li><label class="selectit"><input value="<?php echo esc_attr( $team->ID ); ?>" type="checkbox" name="sp_past_team[]"> <?php echo esc_attr( $team->post_title ); ?></label></li>
 					<?php } ?>
 				</ul>
 			</div>
--- a/includes/admin/post-types/class-sp-admin-cpt-result.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-result.php
@@ -55,11 +55,11 @@ class SP_Admin_CPT_Result extends SP_Admin_CPT {
 		switch ( $column ):
 			case 'sp_key':
 				global $post;
-				echo $post->post_name . 'for, ' . $post->post_name . 'against';
+				echo esc_attr( $post->post_name ) . 'for, ' . esc_attr( $post->post_name ) . 'against';
 				break;
 			case 'sp_description':
 				global $post;
-				echo '<span class="description">' . $post->post_excerpt . '</span>';
+				echo '<span class="description">' . wp_kses_post( $post->post_excerpt ) . '</span>';
 				break;
 		endswitch;
 	}