asc/sportspress
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Escape admin inputs

Browse Source
This commit is contained in:
Brian Miyaji
2015-10-04 16:34:18 +11:00
parent 9590ef79a4
commit db95c79eb4
11 changed files with 23 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
includes/admin/class-sp-admin-taxonomies.php
View File

@@ -82,11 +82,11 @@ class SP_Admin_Taxonomies {
</div>
<div class="form-field">
<label for="term_meta[sp_latitude]"><?php _e( 'Latitude', 'sportspress' ); ?></label>
<input type="text" class="sp-latitude" name="term_meta[sp_latitude]" id="term_meta[sp_latitude]" value="<?php echo $latitude; ?>">
<input type="text" class="sp-latitude" name="term_meta[sp_latitude]" id="term_meta[sp_latitude]" value="<?php echo esc_attr( $latitude ); ?>">
</div>
<div class="form-field">
<label for="term_meta[sp_longitude]"><?php _e( 'Longitude', 'sportspress' ); ?></label>
<input type="text" class="sp-longitude" name="term_meta[sp_longitude]" id="term_meta[sp_longitude]" value="<?php echo $longitude; ?>">
<input type="text" class="sp-longitude" name="term_meta[sp_longitude]" id="term_meta[sp_longitude]" value="<?php echo esc_attr( $longitude ); ?>">
</div>
<?php
}

4
includes/admin/post-types/class-sp-admin-cpt-team.php
View File

@@ -82,11 +82,11 @@ class SP_Admin_CPT_Team extends SP_Admin_CPT {
echo has_post_thumbnail( $post_id ) ? edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) : '';
break;
case 'sp_url':
echo sp_get_url( $post_id );
echo esc_html( sp_get_url( $post_id ) );
break;
case 'sp_abbreviation':
$abbreviation = get_post_meta ( $post_id, 'sp_abbreviation', true );
echo $abbreviation ? $abbreviation : '&mdash;';
echo $abbreviation ? esc_html( $abbreviation ) : '&mdash;';
break;
case 'sp_league':
echo get_the_terms ( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : '&mdash;';

2
includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php
View File

@@ -26,7 +26,7 @@ class SP_Meta_Box_Event_Details {
<div class="sp-event-minutes-field">
<p><strong><?php _e( 'Full Time', 'sportspress' ); ?></strong></p>
<p>
<input name="sp_minutes" type="number" step="1" min="0" class="small-text" placeholder="<?php echo get_option( 'sportspress_event_minutes', 90 ); ?>" value="<?php echo $minutes; ?>">
<input name="sp_minutes" type="number" step="1" min="0" class="small-text" placeholder="<?php echo get_option( 'sportspress_event_minutes', 90 ); ?>" value="<?php echo esc_attr( $minutes ); ?>">
<?php _e( 'mins', 'sportspress' ); ?>
</p>
</div>

6
includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
View File

@@ -214,7 +214,7 @@ class SP_Meta_Box_Event_Performance {
$player_performance = sp_array_value( $data, $player_id, array() );
$value = sp_array_value( $player_performance, $column, '' );
?>
<td><input type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" placeholder="0" <?php if ( $split_positions ) { ?>readonly="readonly"<?php } else { ?>value="<?php echo $value; ?>"<?php } ?> /></td>
<td><input type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" placeholder="0" <?php if ( $split_positions ) { ?>readonly="readonly"<?php } else { ?>value="<?php echo esc_attr( $value ); ?>"<?php } ?> /></td>
<?php endforeach; ?>
<?php if ( $status ) { ?>
<td>&nbsp;</td>
@@ -240,7 +240,7 @@ class SP_Meta_Box_Event_Performance {
<?php } ?>
<?php if ( $numbers ) { ?>
<td>
<input class="small-text sp-player-number-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][number]" value="<?php echo $value; ?>" />
<input class="small-text sp-player-number-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][number]" value="<?php echo esc_attr( $value ); ?>" />
</td>
<?php } ?>
<td><?php echo get_the_title( $player_id ); ?></td>
@@ -270,7 +270,7 @@ class SP_Meta_Box_Event_Performance {
$value = sp_array_value( $player_performance, $column, '' );
?>
<td>
<input class="sp-player-<?php echo $column; ?>-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="0" />
<input class="sp-player-<?php echo $column; ?>-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" />
</td>
<?php endforeach; ?>
<?php if ( $status ) { ?>

2
includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php
View File

@@ -267,7 +267,7 @@ class SP_Meta_Box_Event_Results {
<?php foreach( $columns as $column => $label ):
$value = sp_array_value( $team_results, $column, '' );
?>
<td><input type="text" name="sp_results[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>"<?php if ( in_array( $column, $auto_columns ) ) { ?> placeholder="<?php _e( '(Auto)', 'sportspress' ); ?>"<?php } ?> /></td>
<td><input type="text" name="sp_results[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>"<?php if ( in_array( $column, $auto_columns ) ) { ?> placeholder="<?php _e( '(Auto)', 'sportspress' ); ?>"<?php } ?> /></td>
<?php endforeach; ?>
<td>
<?php

6
includes/admin/post-types/meta-boxes/class-sp-meta-box-list-data.php
View File

@@ -97,7 +97,7 @@ class SP_Meta_Box_List_Data {
<a class="dashicons dashicons-edit sp-edit" title="<?php _e( 'Edit', 'sportspress' ); ?>"></a>
</span>
<span class="hidden sp-custom-value">
<input type="text" name="sp_players[<?php echo $player_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo sp_array_value( $player_stats, 'name', '' ); ?>" placeholder="<?php echo get_the_title( $player_id ); ?>" size="6">
<input type="text" name="sp_players[<?php echo $player_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo esc_attr( sp_array_value( $player_stats, 'name', '' ) ); ?>" placeholder="<?php echo esc_attr( get_the_title( $player_id ) ); ?>" size="6">
<a class="button button-secondary sp-cancel"><?php _e( 'Cancel', 'sportspress' ); ?></a>
<a class="button button-primary sp-save"><?php _e( 'Save', 'sportspress' ); ?></a>
</span>
@@ -124,7 +124,7 @@ class SP_Meta_Box_List_Data {
$value = sp_array_value( $player_stats, $column, '' );
$placeholder = sp_array_value( sp_array_value( $placeholders, $player_id, array() ), $column, 0 );
?>
<td><input type="text" name="sp_players[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo htmlspecialchars( $value ); ?>" placeholder="<?php echo htmlspecialchars( $placeholder ); ?>" data-placeholder="<?php echo htmlspecialchars( $placeholder ); ?>" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo sp_array_value( sp_array_value( $adjustments, $player_id, array() ), $column, 0 ); ?>" /></td>
<td><input type="text" name="sp_players[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" data-placeholder="<?php echo esc_attr( $placeholder ); ?>" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo sp_array_value( sp_array_value( $adjustments, $player_id, array() ), $column, 0 ); ?>" /></td>
<?php endforeach; ?>
</tr>
<?php
@@ -172,7 +172,7 @@ class SP_Meta_Box_List_Data {
if ( $column == 'team' ) continue;
$value = sp_array_value( sp_array_value( $adjustments, $player_id, array() ), $column, '' );
?>
<td><input type="text" name="sp_adjustments[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="0" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" /></td>
<td><input type="text" name="sp_adjustments[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" /></td>
<?php endforeach; ?>
</tr>
<?php

2
includes/admin/post-types/meta-boxes/class-sp-meta-box-player-details.php
View File

@@ -171,7 +171,7 @@ class SP_Meta_Box_Player_Details {
* Save meta box data
*/
public static function save( $post_id, $post ) {
update_post_meta( $post_id, 'sp_number', sp_array_value( $_POST, 'sp_number', '' ) );
update_post_meta( $post_id, 'sp_number', esc_attr( sp_array_value( $_POST, 'sp_number', '' ) ) );
sp_update_post_meta_recursive( $post_id, 'sp_nationality', sp_array_value( $_POST, 'sp_nationality', array() ) );
sp_update_post_meta_recursive( $post_id, 'sp_current_team', sp_array_value( $_POST, 'sp_current_team', array() ) );
sp_update_post_meta_recursive( $post_id, 'sp_past_team', sp_array_value( $_POST, 'sp_past_team', array() ) );

3
includes/admin/post-types/meta-boxes/class-sp-meta-box-player-metrics.php
View File

@@ -19,6 +19,7 @@ class SP_Meta_Box_Player_Metrics {
* Output the metabox
*/
public static function output( $post ) {
$metrics = get_post_meta( $post->ID, 'sp_metrics', true );
$args = array(
@@ -35,7 +36,7 @@ class SP_Meta_Box_Player_Metrics {
foreach ( $vars as $var ):
?>
<p><strong><?php echo $var->post_title; ?></strong></p>
<p><input type="text" name="sp_metrics[<?php echo $var->post_name; ?>]" value="<?php echo sp_array_value( $metrics, $var->post_name, '' ); ?>" /></p>
<p><input type="text" name="sp_metrics[<?php echo $var->post_name; ?>]" value="<?php echo esc_attr( sp_array_value( $metrics, $var->post_name, '' ) ); ?>" /></p>
<?php
endforeach;
else:

2
includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
View File

@@ -151,7 +151,7 @@ class SP_Meta_Box_Player_Statistics {
if ( $readonly )
echo $value ? $value : $placeholder;
else
echo '<input type="text" name="sp_statistics[' . $league_id . '][' . $div_id . '][' . $column . ']" value="' . $value . '" placeholder="' . $placeholder . '"' . ( $readonly ? ' disabled="disabled"' : '' ) . ' />';
echo '<input type="text" name="sp_statistics[' . $league_id . '][' . $div_id . '][' . $column . ']" value="' . esc_attr( $value ) . '" placeholder="' . esc_attr( $placeholder ) . '"' . ( $readonly ? ' disabled="disabled"' : '' ) . ' />';
?></td>
<?php endforeach; ?>
</tr>

6
includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
View File

@@ -84,7 +84,7 @@ class SP_Meta_Box_Table_Data {
<a class="dashicons dashicons-edit sp-edit" title="<?php _e( 'Edit', 'sportspress' ); ?>"></a>
</span>
<span class="hidden sp-custom-value">
<input type="text" name="sp_teams[<?php echo $team_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo sp_array_value( $team_stats, 'name', '' ); ?>" placeholder="<?php echo get_the_title( $team_id ); ?>" size="6">
<input type="text" name="sp_teams[<?php echo $team_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo esc_attr( sp_array_value( $team_stats, 'name', '' ) ); ?>" placeholder="<?php echo esc_attr( get_the_title( $team_id ) ); ?>" size="6">
<a class="button button-secondary sp-cancel"><?php _e( 'Cancel', 'sportspress' ); ?></a>
<a class="button button-primary sp-save"><?php _e( 'Save', 'sportspress' ); ?></a>
</span>
@@ -93,7 +93,7 @@ class SP_Meta_Box_Table_Data {
$value = sp_array_value( $team_stats, $column, '' );
$placeholder = sp_array_value( sp_array_value( $placeholders, $team_id, array() ), $column, 0 );
?>
<td><input type="text" name="sp_teams[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="<?php echo $placeholder; ?>" data-placeholder="<?php echo $placeholder; ?>" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, 0 ); ?>" /></td>
<td><input type="text" name="sp_teams[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" data-placeholder="<?php echo esc_attr( $placeholder ); ?>" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo esc_attr( sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, 0 ) ); ?>" /></td>
<?php endforeach; ?>
</tr>
<?php
@@ -137,7 +137,7 @@ class SP_Meta_Box_Table_Data {
<?php foreach( $columns as $column => $label ):
$value = sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, '' );
?>
<td><input type="text" name="sp_adjustments[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="0" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" /></td>
<td><input type="text" name="sp_adjustments[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" /></td>
<?php endforeach; ?>
</tr>
<?php

8
includes/admin/post-types/meta-boxes/class-sp-meta-box-team-details.php
View File

@@ -107,13 +107,13 @@ class SP_Meta_Box_Team_Details {
<?php } ?>
<p><strong><?php _e( 'Site URL', 'sportspress' ); ?></strong></p>
<p><input type="text" class="widefat" id="sp_url" name="sp_url" value="<?php echo $url; ?>"></p>
<p><input type="text" class="widefat" id="sp_url" name="sp_url" value="<?php echo esc_url( $url ); ?>"></p>
<?php if ( $url ): ?>
<p><a class="sp-link" title="<?php _e( 'Visit Site', 'sportspress' ); ?>" href="<?php echo $url; ?>" target="_blank"><?php _e( 'Visit Site', 'sportspress' ); ?></a></p>
<?php endif; ?>
<p><strong><?php _e( 'Abbreviation', 'sportspress' ); ?></strong></p>
<p><input type="text" id="sp_abbreviation" name="sp_abbreviation" value="<?php echo $abbreviation; ?>"></p>
<p><input type="text" id="sp_abbreviation" name="sp_abbreviation" value="<?php echo esc_attr( $abbreviation ); ?>"></p>
<?php
}
@@ -121,7 +121,7 @@ class SP_Meta_Box_Team_Details {
* Save meta box data
*/
public static function save( $post_id, $post ) {
update_post_meta( $post_id, 'sp_url', sp_array_value( $_POST, 'sp_url', '' ) );
update_post_meta( $post_id, 'sp_abbreviation', sp_array_value( $_POST, 'sp_abbreviation', '' ) );
update_post_meta( $post_id, 'sp_url', esc_url( sp_array_value( $_POST, 'sp_url', '' ) ) );
update_post_meta( $post_id, 'sp_abbreviation', esc_attr( sp_array_value( $_POST, 'sp_abbreviation', '' ) ) );
}
}