From db95c79eb45fdf8103725fd2bf7adc84a2b9ac82 Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sun, 4 Oct 2015 16:34:18 +1100
Subject: [PATCH] Escape admin inputs

---
 includes/admin/class-sp-admin-taxonomies.php              | 4 ++--
 includes/admin/post-types/class-sp-admin-cpt-team.php     | 4 ++--
 .../meta-boxes/class-sp-meta-box-event-details.php        | 2 +-
 .../meta-boxes/class-sp-meta-box-event-performance.php    | 6 +++---
 .../meta-boxes/class-sp-meta-box-event-results.php        | 2 +-
 .../post-types/meta-boxes/class-sp-meta-box-list-data.php | 6 +++---
 .../meta-boxes/class-sp-meta-box-player-details.php       | 2 +-
 .../meta-boxes/class-sp-meta-box-player-metrics.php       | 3 ++-
 .../meta-boxes/class-sp-meta-box-player-statistics.php    | 2 +-
 .../meta-boxes/class-sp-meta-box-table-data.php           | 6 +++---
 .../meta-boxes/class-sp-meta-box-team-details.php         | 8 ++++----
 11 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/includes/admin/class-sp-admin-taxonomies.php b/includes/admin/class-sp-admin-taxonomies.php
index 9bbe8efd..b974363f 100644
--- a/includes/admin/class-sp-admin-taxonomies.php
+++ b/includes/admin/class-sp-admin-taxonomies.php
@@ -82,11 +82,11 @@ class SP_Admin_Taxonomies {
 		</div>
 		<div class="form-field">
 			<label for="term_meta[sp_latitude]"><?php _e( 'Latitude', 'sportspress' ); ?></label>
-			<input type="text" class="sp-latitude" name="term_meta[sp_latitude]" id="term_meta[sp_latitude]" value="<?php echo $latitude; ?>">
+			<input type="text" class="sp-latitude" name="term_meta[sp_latitude]" id="term_meta[sp_latitude]" value="<?php echo esc_attr( $latitude ); ?>">
 		</div>
 		<div class="form-field">
 			<label for="term_meta[sp_longitude]"><?php _e( 'Longitude', 'sportspress' ); ?></label>
-			<input type="text" class="sp-longitude" name="term_meta[sp_longitude]" id="term_meta[sp_longitude]" value="<?php echo $longitude; ?>">
+			<input type="text" class="sp-longitude" name="term_meta[sp_longitude]" id="term_meta[sp_longitude]" value="<?php echo esc_attr( $longitude ); ?>">
 		</div>
 	<?php
 	}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-team.php b/includes/admin/post-types/class-sp-admin-cpt-team.php
index 6147c80c..8c2e50d3 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-team.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-team.php
@@ -82,11 +82,11 @@ class SP_Admin_CPT_Team extends SP_Admin_CPT {
 				echo has_post_thumbnail( $post_id ) ? edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) : '';
 				break;
 			case 'sp_url':
-	        	echo sp_get_url( $post_id );
+	        	echo esc_html( sp_get_url( $post_id ) );
 				break;
 			case 'sp_abbreviation':
 				$abbreviation = get_post_meta ( $post_id, 'sp_abbreviation', true );
-				echo $abbreviation ? $abbreviation : '&mdash;';
+				echo $abbreviation ? esc_html( $abbreviation ) : '&mdash;';
 				break;
 			case 'sp_league':
 				echo get_the_terms ( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : '&mdash;';
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php
index f8cb29db..8a188a38 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php
@@ -26,7 +26,7 @@ class SP_Meta_Box_Event_Details {
 		<div class="sp-event-minutes-field">
 			<p><strong><?php _e( 'Full Time', 'sportspress' ); ?></strong></p>
 			<p>
-				<input name="sp_minutes" type="number" step="1" min="0" class="small-text" placeholder="<?php echo get_option( 'sportspress_event_minutes', 90 ); ?>" value="<?php echo $minutes; ?>">
+				<input name="sp_minutes" type="number" step="1" min="0" class="small-text" placeholder="<?php echo get_option( 'sportspress_event_minutes', 90 ); ?>" value="<?php echo esc_attr( $minutes ); ?>">
 				<?php _e( 'mins', 'sportspress' ); ?>
 			</p>
 		</div>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
index 87b46214..88e945b9 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
@@ -214,7 +214,7 @@ class SP_Meta_Box_Event_Performance {
 						$player_performance = sp_array_value( $data, $player_id, array() );
 						$value = sp_array_value( $player_performance, $column, '' );
 						?>
-						<td><input type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" placeholder="0" <?php if ( $split_positions ) { ?>readonly="readonly"<?php } else { ?>value="<?php echo $value; ?>"<?php } ?> /></td>
+						<td><input type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" placeholder="0" <?php if ( $split_positions ) { ?>readonly="readonly"<?php } else { ?>value="<?php echo esc_attr( $value ); ?>"<?php } ?> /></td>
 					<?php endforeach; ?>
 					<?php if ( $status ) { ?>
 						<td>&nbsp;</td>
@@ -240,7 +240,7 @@ class SP_Meta_Box_Event_Performance {
 			<?php } ?>
 			<?php if ( $numbers ) { ?>
 				<td>
-					<input class="small-text sp-player-number-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][number]" value="<?php echo $value; ?>" />
+					<input class="small-text sp-player-number-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][number]" value="<?php echo esc_attr( $value ); ?>" />
 				</td>
 			<?php } ?>
 			<td><?php echo get_the_title( $player_id ); ?></td>
@@ -270,7 +270,7 @@ class SP_Meta_Box_Event_Performance {
 				$value = sp_array_value( $player_performance, $column, '' );
 				?>
 				<td>
-					<input class="sp-player-<?php echo $column; ?>-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="0" />
+					<input class="sp-player-<?php echo $column; ?>-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" />
 				</td>
 			<?php endforeach; ?>
 			<?php if ( $status ) { ?>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php
index 7f6ccc32..8f378c52 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php
@@ -267,7 +267,7 @@ class SP_Meta_Box_Event_Results {
 							<?php foreach( $columns as $column => $label ):
 								$value = sp_array_value( $team_results, $column, '' );
 								?>
-								<td><input type="text" name="sp_results[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>"<?php if ( in_array( $column, $auto_columns ) ) { ?> placeholder="<?php _e( '(Auto)', 'sportspress' ); ?>"<?php } ?> /></td>
+								<td><input type="text" name="sp_results[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>"<?php if ( in_array( $column, $auto_columns ) ) { ?> placeholder="<?php _e( '(Auto)', 'sportspress' ); ?>"<?php } ?> /></td>
 							<?php endforeach; ?>
 							<td>
 								<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-list-data.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-list-data.php
index 8cb8ae80..afeac16b 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-list-data.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-list-data.php
@@ -97,7 +97,7 @@ class SP_Meta_Box_List_Data {
 										<a class="dashicons dashicons-edit sp-edit" title="<?php _e( 'Edit', 'sportspress' ); ?>"></a>
 									</span>
 									<span class="hidden sp-custom-value">
-										<input type="text" name="sp_players[<?php echo $player_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo sp_array_value( $player_stats, 'name', '' ); ?>" placeholder="<?php echo get_the_title( $player_id ); ?>" size="6">
+										<input type="text" name="sp_players[<?php echo $player_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo esc_attr( sp_array_value( $player_stats, 'name', '' ) ); ?>" placeholder="<?php echo esc_attr( get_the_title( $player_id ) ); ?>" size="6">
 										<a class="button button-secondary sp-cancel"><?php _e( 'Cancel', 'sportspress' ); ?></a>
 										<a class="button button-primary sp-save"><?php _e( 'Save', 'sportspress' ); ?></a>
 									</span>
@@ -124,7 +124,7 @@ class SP_Meta_Box_List_Data {
 									$value = sp_array_value( $player_stats, $column, '' );
 									$placeholder = sp_array_value( sp_array_value( $placeholders, $player_id, array() ), $column, 0 );
 									?>
-									<td><input type="text" name="sp_players[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo htmlspecialchars( $value ); ?>" placeholder="<?php echo htmlspecialchars( $placeholder ); ?>" data-placeholder="<?php echo htmlspecialchars( $placeholder ); ?>" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo sp_array_value( sp_array_value( $adjustments, $player_id, array() ), $column, 0 ); ?>" /></td>
+									<td><input type="text" name="sp_players[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" data-placeholder="<?php echo esc_attr( $placeholder ); ?>" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo sp_array_value( sp_array_value( $adjustments, $player_id, array() ), $column, 0 ); ?>" /></td>
 								<?php endforeach; ?>
 							</tr>
 							<?php
@@ -172,7 +172,7 @@ class SP_Meta_Box_List_Data {
 									if ( $column == 'team' ) continue;
 									$value = sp_array_value( sp_array_value( $adjustments, $player_id, array() ), $column, '' );
 									?>
-									<td><input type="text" name="sp_adjustments[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="0" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" /></td>
+									<td><input type="text" name="sp_adjustments[<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" data-matrix="<?php echo $player_id; ?>_<?php echo $column; ?>" /></td>
 								<?php endforeach; ?>
 							</tr>
 							<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-details.php
index 09c5c3b3..dc9d4a18 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-details.php
@@ -171,7 +171,7 @@ class SP_Meta_Box_Player_Details {
 	 * Save meta box data
 	 */
 	public static function save( $post_id, $post ) {
-		update_post_meta( $post_id, 'sp_number', sp_array_value( $_POST, 'sp_number', '' ) );
+		update_post_meta( $post_id, 'sp_number', esc_attr( sp_array_value( $_POST, 'sp_number', '' ) ) );
 		sp_update_post_meta_recursive( $post_id, 'sp_nationality', sp_array_value( $_POST, 'sp_nationality', array() ) );
 		sp_update_post_meta_recursive( $post_id, 'sp_current_team', sp_array_value( $_POST, 'sp_current_team', array() ) );
 		sp_update_post_meta_recursive( $post_id, 'sp_past_team', sp_array_value( $_POST, 'sp_past_team', array() ) );
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-metrics.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-metrics.php
index c530e223..2c17b56a 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-metrics.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-metrics.php
@@ -19,6 +19,7 @@ class SP_Meta_Box_Player_Metrics {
 	 * Output the metabox
 	 */
 	public static function output( $post ) {
+
 		$metrics = get_post_meta( $post->ID, 'sp_metrics', true );
 
 		$args = array(
@@ -35,7 +36,7 @@ class SP_Meta_Box_Player_Metrics {
 			foreach ( $vars as $var ):
 			?>
 			<p><strong><?php echo $var->post_title; ?></strong></p>
-			<p><input type="text" name="sp_metrics[<?php echo $var->post_name; ?>]" value="<?php echo sp_array_value( $metrics, $var->post_name, '' ); ?>" /></p>
+			<p><input type="text" name="sp_metrics[<?php echo $var->post_name; ?>]" value="<?php echo esc_attr( sp_array_value( $metrics, $var->post_name, '' ) ); ?>" /></p>
 			<?php
 			endforeach;
 		else:
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
index c0c2d78d..b92a83f7 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
@@ -151,7 +151,7 @@ class SP_Meta_Box_Player_Statistics {
 									if ( $readonly )
 										echo $value ? $value : $placeholder;
 									else
-										echo '<input type="text" name="sp_statistics[' . $league_id . '][' . $div_id . '][' . $column . ']" value="' . $value . '" placeholder="' . $placeholder . '"' . ( $readonly ? ' disabled="disabled"' : '' ) . '  />';
+										echo '<input type="text" name="sp_statistics[' . $league_id . '][' . $div_id . '][' . $column . ']" value="' . esc_attr( $value ) . '" placeholder="' . esc_attr( $placeholder ) . '"' . ( $readonly ? ' disabled="disabled"' : '' ) . '  />';
 								?></td>
 							<?php endforeach; ?>
 						</tr>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
index 99d60101..2ce92893 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
@@ -84,7 +84,7 @@ class SP_Meta_Box_Table_Data {
 										<a class="dashicons dashicons-edit sp-edit" title="<?php _e( 'Edit', 'sportspress' ); ?>"></a>
 									</span>
 									<span class="hidden sp-custom-value">
-										<input type="text" name="sp_teams[<?php echo $team_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo sp_array_value( $team_stats, 'name', '' ); ?>" placeholder="<?php echo get_the_title( $team_id ); ?>" size="6">
+										<input type="text" name="sp_teams[<?php echo $team_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo esc_attr( sp_array_value( $team_stats, 'name', '' ) ); ?>" placeholder="<?php echo esc_attr( get_the_title( $team_id ) ); ?>" size="6">
 										<a class="button button-secondary sp-cancel"><?php _e( 'Cancel', 'sportspress' ); ?></a>
 										<a class="button button-primary sp-save"><?php _e( 'Save', 'sportspress' ); ?></a>
 									</span>
@@ -93,7 +93,7 @@ class SP_Meta_Box_Table_Data {
 									$value = sp_array_value( $team_stats, $column, '' );
 									$placeholder = sp_array_value( sp_array_value( $placeholders, $team_id, array() ), $column, 0 );
 									?>
-									<td><input type="text" name="sp_teams[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="<?php echo $placeholder; ?>" data-placeholder="<?php echo $placeholder; ?>" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, 0 ); ?>" /></td>
+									<td><input type="text" name="sp_teams[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" data-placeholder="<?php echo esc_attr( $placeholder ); ?>" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo esc_attr( sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, 0 ) ); ?>" /></td>
 								<?php endforeach; ?>
 							</tr>
 							<?php
@@ -137,7 +137,7 @@ class SP_Meta_Box_Table_Data {
 								<?php foreach( $columns as $column => $label ):
 									$value = sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, '' );
 									?>
-									<td><input type="text" name="sp_adjustments[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo $value; ?>" placeholder="0" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" /></td>
+									<td><input type="text" name="sp_adjustments[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" /></td>
 								<?php endforeach; ?>
 							</tr>
 							<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-details.php
index e21705df..88ba093c 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-details.php
@@ -107,13 +107,13 @@ class SP_Meta_Box_Team_Details {
 		<?php } ?>
 
 		<p><strong><?php _e( 'Site URL', 'sportspress' ); ?></strong></p>
-		<p><input type="text" class="widefat" id="sp_url" name="sp_url" value="<?php echo $url; ?>"></p>
+		<p><input type="text" class="widefat" id="sp_url" name="sp_url" value="<?php echo esc_url( $url ); ?>"></p>
 		<?php if ( $url ): ?>
 			<p><a class="sp-link" title="<?php _e( 'Visit Site', 'sportspress' ); ?>" href="<?php echo $url; ?>" target="_blank"><?php _e( 'Visit Site', 'sportspress' ); ?></a></p>
 		<?php endif; ?>
 
 		<p><strong><?php _e( 'Abbreviation', 'sportspress' ); ?></strong></p>
-		<p><input type="text" id="sp_abbreviation" name="sp_abbreviation" value="<?php echo $abbreviation; ?>"></p>
+		<p><input type="text" id="sp_abbreviation" name="sp_abbreviation" value="<?php echo esc_attr( $abbreviation ); ?>"></p>
 		<?php
 	}
 
@@ -121,7 +121,7 @@ class SP_Meta_Box_Team_Details {
 	 * Save meta box data
 	 */
 	public static function save( $post_id, $post ) {
-		update_post_meta( $post_id, 'sp_url', sp_array_value( $_POST, 'sp_url', '' ) );
-		update_post_meta( $post_id, 'sp_abbreviation', sp_array_value( $_POST, 'sp_abbreviation', '' ) );
+		update_post_meta( $post_id, 'sp_url', esc_url( sp_array_value( $_POST, 'sp_url', '' ) ) );
+		update_post_meta( $post_id, 'sp_abbreviation', esc_attr( sp_array_value( $_POST, 'sp_abbreviation', '' ) ) );
 	}
 }
\ No newline at end of file