Escape output of vars in SPEC, STAFF and STATISTIC Admin Classes

2021-11-05 17:38:40 +02:00
parent 39cf8f9662
commit 04736f1765
3 changed files with 4 additions and 4 deletions
--- a/includes/admin/post-types/class-sp-admin-cpt-spec.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-spec.php
@@ -55,7 +55,7 @@ class SP_Admin_CPT_Spec extends SP_Admin_CPT {
 		switch ( $column ):
 			case 'sp_key':
 				global $post;
-				echo $post->post_name;
+				echo esc_attr( $post->post_name );
 				break;
 			case 'sp_description':
 				global $post;
--- a/includes/admin/post-types/class-sp-admin-cpt-staff.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-staff.php
@@ -92,7 +92,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
 						if ( ! $team_id ) continue;
 						$team = get_post( $team_id );
 						if ( $team ):
-							echo $team->post_title;
+							echo esc_attr( $team->post_title );
 							if ( in_array( $team_id, $current_teams ) ):
 								echo '<span class="dashicons dashicons-yes" title="' . __( 'Current Team', 'sportspress' ) . '"></span>';
 							endif;
--- a/includes/admin/post-types/class-sp-admin-cpt-statistic.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-statistic.php
@@ -61,7 +61,7 @@ class SP_Admin_CPT_Statistic extends SP_Admin_CPT {
 				break;
 			case 'sp_key':
 				global $post;
-				echo $post->post_name;
+				echo esc_attr( $post->post_name );
 				break;
 			case 'sp_equation':
 				echo sp_get_post_equation( $post_id );
@@ -71,7 +71,7 @@ class SP_Admin_CPT_Statistic extends SP_Admin_CPT {
 				break;
 			case 'sp_description':
 				global $post;
-				echo '<span class="description">' . $post->post_excerpt . '</span>';
+				echo '<span class="description">' . wp_kses_post( $post->post_excerpt ) . '</span>';
 				break;
 		endswitch;
 	}