From 051d3e30550f77e221857226da53052a03d20c8e Mon Sep 17 00:00:00 2001
From: savvasha <savvasha@hotmail.com>
Date: Sat, 13 Nov 2021 07:59:02 +0200
Subject: [PATCH] Escapes based on phpcs #11

---
 includes/admin/class-sp-admin-welcome.php     |  4 +--
 .../class-sp-admin-cpt-calendar.php           | 14 +++++-----
 .../post-types/class-sp-admin-cpt-event.php   | 24 ++++++++---------
 .../post-types/class-sp-admin-cpt-list.php    | 12 ++++-----
 .../class-sp-admin-cpt-performance.php        |  2 +-
 .../post-types/class-sp-admin-cpt-player.php  | 24 ++++++++---------
 .../class-sp-admin-cpt-statistic.php          |  2 +-
 .../post-types/class-sp-admin-cpt-table.php   | 10 +++----
 .../post-types/class-sp-admin-cpt-team.php    |  6 ++---
 .../class-sp-meta-box-event-performance.php   | 26 +++++++++----------
 10 files changed, 62 insertions(+), 62 deletions(-)

diff --git a/includes/admin/class-sp-admin-welcome.php b/includes/admin/class-sp-admin-welcome.php
index a920b69d..dd23c65a 100644
--- a/includes/admin/class-sp-admin-welcome.php
+++ b/includes/admin/class-sp-admin-welcome.php
@@ -329,7 +329,7 @@ class SP_Admin_Welcome {
 	<div class="wrap about-wrap about-sportspress-wrap">
 		<?php $this->intro(); ?>
 	  
-	  <p class="about-description"><?php printf( __( 'SportsPress is developed and maintained by a worldwide team of passionate individuals and backed by an awesome developer community. Want to see your name? <a href="%s">Contribute to SportsPress</a>.', 'sportspress' ), 'https://github.com/ThemeBoy/SportsPress/blob/master/CONTRIBUTING.md' ); ?></p>
+	  <p class="about-description"><?php printf( wp_kses_post( __( 'SportsPress is developed and maintained by a worldwide team of passionate individuals and backed by an awesome developer community. Want to see your name? <a href="%s">Contribute to SportsPress</a>.', 'sportspress' ) ), 'https://github.com/ThemeBoy/SportsPress/blob/master/CONTRIBUTING.md' ); ?></p>
 
 	  <div class="sp-feature feature-section col one-col">
 		<?php echo wp_kses_post( $this->contributors() ); ?>
@@ -347,7 +347,7 @@ class SP_Admin_Welcome {
 
 		<?php $this->intro(); ?>
 
-	  <p class="about-description"><?php printf( __( 'SportsPress has been kindly translated into several other languages thanks to our translation team. Want to see your name? <a href="%s">Translate SportsPress</a>.', 'sportspress' ), 'https://translate.wordpress.org/projects/wp-plugins/sportspress' ); ?></p>
+	  <p class="about-description"><?php printf( wp_kses_post( __( 'SportsPress has been kindly translated into several other languages thanks to our translation team. Want to see your name? <a href="%s">Translate SportsPress</a>.', 'sportspress' ) ), 'https://translate.wordpress.org/projects/wp-plugins/sportspress' ); ?></p>
 	</div>
 		<?php
 	}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-calendar.php b/includes/admin/post-types/class-sp-admin-cpt-calendar.php
index b3314b13..f2d631ab 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-calendar.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-calendar.php
@@ -70,19 +70,19 @@ if ( ! class_exists( 'SP_Admin_CPT_Calendar' ) ) :
 		public function custom_columns( $column, $post_id ) {
 			switch ( $column ) :
 				case 'sp_league':
-					echo get_the_terms( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : __( 'All', 'sportspress' );
+					echo get_the_terms( $post_id, 'sp_league' ) ? wp_kses_post( the_terms( $post_id, 'sp_league' ) ) : esc_html__( 'All', 'sportspress' );
 					break;
 				case 'sp_season':
-					echo get_the_terms( $post_id, 'sp_season' ) ? the_terms( $post_id, 'sp_season' ) : __( 'All', 'sportspress' );
+					echo get_the_terms( $post_id, 'sp_season' ) ? wp_kses_post( the_terms( $post_id, 'sp_season' ) ) : esc_html__( 'All', 'sportspress' );
 					break;
 				case 'sp_venue':
-					echo get_the_terms( $post_id, 'sp_venue' ) ? the_terms( $post_id, 'sp_venue' ) : __( 'All', 'sportspress' );
+					echo get_the_terms( $post_id, 'sp_venue' ) ? wp_kses_post( the_terms( $post_id, 'sp_venue' ) ) : esc_html__( 'All', 'sportspress' );
 					break;
 				case 'sp_team':
 					$teams = (array) get_post_meta( $post_id, 'sp_team', false );
 					$teams = array_filter( $teams );
 					if ( empty( $teams ) ) :
-						echo __( 'All', 'sportspress' );
+						echo esc_html__( 'All', 'sportspress' );
 					else :
 						$current_team = get_post_meta( $post_id, 'sp_current_team', true );
 						foreach ( $teams as $team_id ) :
@@ -93,7 +93,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Calendar' ) ) :
 							if ( $team ) :
 								echo esc_html( $team->post_title );
 								if ( $team_id == $current_team ) :
-									echo '<span class="dashicons dashicons-yes" title="' . __( 'Current Team', 'sportspress' ) . '"></span>';
+									echo '<span class="dashicons dashicons-yes" title="' . esc_attr__( 'Current Team', 'sportspress' ) . '"></span>';
 								endif;
 								echo '<br>';
 							endif;
@@ -102,7 +102,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Calendar' ) ) :
 					break;
 				case 'sp_events':
 					$calendar = new SP_Calendar( $post_id );
-					echo sizeof( $calendar->data() );
+					echo esc_html( sizeof( $calendar->data() ) );
 					break;
 				case 'sp_layout':
 					echo esc_html( sp_array_value( SP()->formats->calendar, get_post_meta( $post_id, 'sp_format', true ), '&mdash;' ) );
@@ -146,7 +146,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Calendar' ) ) :
 				'selected'         => $selected,
 				'values'           => 'ID',
 			);
-			wp_dropdown_pages( $args );
+			esc_html ( wp_dropdown_pages( $args ) );
 		}
 
 		/**
diff --git a/includes/admin/post-types/class-sp-admin-cpt-event.php b/includes/admin/post-types/class-sp-admin-cpt-event.php
index 4db3ca95..b126de95 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-event.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-event.php
@@ -188,11 +188,11 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 					$formats       = new SP_Formats();
 					$event_formats = $formats->event;
 					if ( array_key_exists( $format, $event_formats ) ) :
-						echo '<span class="dashicons sp-icon-' . $format . ' sp-tip" title="' . $event_formats[ $format ] . '"></span>';
+						echo '<span class="dashicons sp-icon-' . esc_attr( $format ) . ' sp-tip" title="' . esc_attr( $event_formats[ $format ] ) . '"></span>';
 					endif;
 					break;
 				case 'sp_time':
-					echo apply_filters( 'sportspress_event_time_admin', get_post_time( 'H:i', false, $post_id, true ) );
+					echo wp_kses_post( apply_filters( 'sportspress_event_time_admin', get_post_time( 'H:i', false, $post_id, true ) ) );
 					break;
 				case 'sp_team':
 					$teams         = (array) get_post_meta( $post_id, 'sp_team', false );
@@ -207,7 +207,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 					else :
 						$results     = get_post_meta( $post_id, 'sp_results', true );
 						$main_result = get_option( 'sportspress_primary_result', null );
-						echo '<input type="hidden" name="sp_post_id" value="' . $post_id . '">';
+						echo '<input type="hidden" name="sp_post_id" value="' . esc_attr( $post_id ) . '">';
 						echo '<div class="sp-results">';
 						foreach ( $teams as $team_id ) :
 							if ( ! $team_id ) {
@@ -236,7 +236,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 									$team_results = implode( ' | ', $team_results );
 								endif;
 
-								echo '<a class="sp-result sp-tip" tabindex="10" title="' . esc_attr( $team_results ) . '" data-team="' . esc_attr( $team_id ) . '" href="#">' . ( $team_result == '' ? '-' : apply_filters( 'sportspress_event_team_result_admin', $team_result, $post_id, $team_id ) ) . '</a>';
+								echo '<a class="sp-result sp-tip" tabindex="10" title="' . esc_attr( $team_results ) . '" data-team="' . esc_attr( $team_id ) . '" href="#">' . ( $team_result == '' ? '-' : wp_kses_post( apply_filters( 'sportspress_event_team_result_admin', $team_result, $post_id, $team_id ) ) ) . '</a>';
 								echo '<input type="text" tabindex="10" class="sp-edit-result hidden small-text" data-team="' . esc_attr( $team_id ) . '" data-key="' . esc_attr( $main_result ) . '" value="' . esc_attr( $team_result ) . '"> ';
 								echo esc_html( $team->post_title );
 								echo '<br>';
@@ -245,23 +245,23 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 						echo '</div>';
 						if ( current_user_can( 'edit_others_sp_events' ) ) {
 							?>
-						<div class="row-actions sp-row-actions"><span class="inline hide-if-no-js"><a href="#" class="sp-edit-results"><?php _e( 'Edit Results', 'sportspress' ); ?></a></span></div>
+						<div class="row-actions sp-row-actions"><span class="inline hide-if-no-js"><a href="#" class="sp-edit-results"><?php esc_html_e( 'Edit Results', 'sportspress' ); ?></a></span></div>
 						<p class="inline-edit-save sp-inline-edit-save hidden">
-							<a href="#inline-edit" class="button-secondary cancel alignleft"><?php _e( 'Cancel' ); ?></a>
-							<a href="#inline-edit" class="button-primary save alignright"><?php _e( 'Update' ); ?></a>
+							<a href="#inline-edit" class="button-secondary cancel alignleft"><?php esc_html_e( 'Cancel' ); ?></a>
+							<a href="#inline-edit" class="button-primary save alignright"><?php esc_html_e( 'Update' ); ?></a>
 						</p>
 							<?php
 						}
 					endif;
 					break;
 				case 'sp_league':
-					echo get_the_terms( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_league' ) ? wp_kses_post( the_terms( $post_id, 'sp_league' ) ) : '&mdash;';
 					break;
 				case 'sp_season':
-					echo get_the_terms( $post_id, 'sp_season' ) ? the_terms( $post_id, 'sp_season' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_season' ) ? wp_kses_post( the_terms( $post_id, 'sp_season' ) ) : '&mdash;';
 					break;
 				case 'sp_venue':
-					echo get_the_terms( $post_id, 'sp_venue' ) ? the_terms( $post_id, 'sp_venue' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_venue' ) ? wp_kses_post( the_terms( $post_id, 'sp_venue' ) ) : '&mdash;';
 					break;
 				case 'sp_day':
 					$day = get_post_meta( $post_id, 'sp_day', true );
@@ -291,7 +291,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 				'selected'         => $selected,
 				'values'           => 'ID',
 			);
-			wp_dropdown_pages( $args );
+			esc_html( wp_dropdown_pages( $args ) );
 
 			$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 			$args     = array(
@@ -312,7 +312,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 			sp_dropdown_taxonomies( $args );
 
 			$selected = isset( $_REQUEST['match_day'] ) ? sanitize_text_field( $_REQUEST['match_day'] ) : null;
-			echo '<input name="match_day" type="text" class="sp-tablenav-input" placeholder="' . __( 'Match Day', 'sportspress' ) . '" value="' . $selected . '">';
+			echo '<input name="match_day" type="text" class="sp-tablenav-input" placeholder="' . esc_attr__( 'Match Day', 'sportspress' ) . '" value="' . esc_attr( $selected ) . '">';
 
 			if ( current_user_can( 'edit_others_sp_events' ) ) {
 				wp_nonce_field( 'sp-save-inline-results', 'sp-inline-nonce', false );
diff --git a/includes/admin/post-types/class-sp-admin-cpt-list.php b/includes/admin/post-types/class-sp-admin-cpt-list.php
index d1dc656c..7b92b7c5 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-list.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-list.php
@@ -72,22 +72,22 @@ if ( ! class_exists( 'SP_Admin_CPT_List' ) ) :
 					$select = get_post_meta( $post_id, 'sp_select', true );
 					if ( 'manual' == $select ) :
 						$players = array_filter( get_post_meta( $post_id, 'sp_player' ) );
-						echo sizeof( $players );
+						echo esc_html( sizeof( $players ) );
 					else :
-						_e( 'Auto', 'sportspress' );
+						esc_html_e( 'Auto', 'sportspress' );
 					endif;
 					break;
 				case 'sp_league':
-					echo get_the_terms( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : __( 'All', 'sportspress' );
+					echo get_the_terms( $post_id, 'sp_league' ) ? wp_kses_post( the_terms( $post_id, 'sp_league' ) ) : esc_html__( 'All', 'sportspress' );
 					break;
 				case 'sp_season':
-					echo get_the_terms( $post_id, 'sp_season' ) ? the_terms( $post_id, 'sp_season' ) : __( 'All', 'sportspress' );
+					echo get_the_terms( $post_id, 'sp_season' ) ? wp_kses_post( the_terms( $post_id, 'sp_season' ) ) : esc_html__( 'All', 'sportspress' );
 					break;
 				case 'sp_team':
 					$teams = (array) get_post_meta( $post_id, 'sp_team', false );
 					$teams = array_filter( $teams );
 					if ( empty( $teams ) ) :
-						echo __( 'All', 'sportspress' );
+						echo esc_html__( 'All', 'sportspress' );
 					else :
 						foreach ( $teams as $team_id ) :
 							if ( ! $team_id ) {
@@ -142,7 +142,7 @@ if ( ! class_exists( 'SP_Admin_CPT_List' ) ) :
 				'selected'         => $selected,
 				'values'           => 'ID',
 			);
-			wp_dropdown_pages( $args );
+			esc_html( wp_dropdown_pages( $args ) );
 		}
 
 		/**
diff --git a/includes/admin/post-types/class-sp-admin-cpt-performance.php b/includes/admin/post-types/class-sp-admin-cpt-performance.php
index 4f66d031..32e032c7 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-performance.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-performance.php
@@ -61,7 +61,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Performance' ) ) :
 		public function custom_columns( $column, $post_id ) {
 			switch ( $column ) :
 				case 'sp_icon':
-					echo has_post_thumbnail( $post_id ) ? edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) : '';
+					echo has_post_thumbnail( $post_id ) ? wp_kses_post( edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) ) : '';
 					break;
 				case 'sp_key':
 					global $post;
diff --git a/includes/admin/post-types/class-sp-admin-cpt-player.php b/includes/admin/post-types/class-sp-admin-cpt-player.php
index acaede58..c62c8e5b 100755
--- a/includes/admin/post-types/class-sp-admin-cpt-player.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-player.php
@@ -102,14 +102,14 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 					echo esc_html( get_post_meta( $post_id, 'sp_number', true ) );
 					break;
 				case 'sp_position':
-					echo get_the_terms( $post_id, 'sp_position' ) ? the_terms( $post_id, 'sp_position' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_position' ) ? wp_kses_post( the_terms( $post_id, 'sp_position' ) ) : '&mdash;';
 					break;
 				case 'sp_team':
 					$current_teams = get_post_meta( $post_id, 'sp_current_team', false );
 					$past_teams    = get_post_meta( $post_id, 'sp_past_team', false );
 					$current_teams = array_filter( $current_teams );
 					$past_teams    = array_filter( $past_teams );
-					echo '<span class="hidden sp-player-teams" data-current-teams="' . implode( ',', $current_teams ) . '" data-past-teams="' . implode( ',', $past_teams ) . '"></span>';
+					echo '<span class="hidden sp-player-teams" data-current-teams="' . implode( ',', array_map( 'esc_attr', $current_teams ) ) . '" data-past-teams="' . implode( ',', array_map( 'esc_attr', $past_teams ) ) . '"></span>';
 					$teams = (array) get_post_meta( $post_id, 'sp_team', false );
 					$teams = array_filter( $teams );
 					$teams = array_unique( $teams );
@@ -124,7 +124,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 							if ( $team ) :
 								echo esc_html( $team->post_title );
 								if ( in_array( $team_id, $current_teams ) ) :
-									echo '<span class="dashicons dashicons-yes" title="' . __( 'Current Team', 'sportspress' ) . '"></span>';
+									echo '<span class="dashicons dashicons-yes" title="' . esc_attr__( 'Current Team', 'sportspress' ) . '"></span>';
 								endif;
 								echo '<br>';
 							endif;
@@ -132,13 +132,13 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 					endif;
 					break;
 				case 'sp_league':
-					echo get_the_terms( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_league' ) ? wp_kses_post( the_terms( $post_id, 'sp_league' ) ) : '&mdash;';
 					break;
 				case 'sp_season':
-					echo get_the_terms( $post_id, 'sp_season' ) ? the_terms( $post_id, 'sp_season' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_season' ) ? wp_kses_post( the_terms( $post_id, 'sp_season' ) ) : '&mdash;';
 					break;
 				case 'sp_venue':
-					echo get_the_terms( $post_id, 'sp_venue' ) ? the_terms( $post_id, 'sp_venue' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_venue' ) ? wp_kses_post( the_terms( $post_id, 'sp_venue' ) ) : '&mdash;';
 					break;
 			endswitch;
 		}
@@ -172,7 +172,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 				'selected'         => $selected,
 				'values'           => 'ID',
 			);
-			wp_dropdown_pages( $args );
+			esc_html( wp_dropdown_pages( $args ) );
 
 			if ( taxonomy_exists( 'sp_league' ) ) :
 				$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
@@ -244,7 +244,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 		<fieldset class="inline-edit-col-right">
 			<div class="inline-edit-col">
 				<label>
-					<span class="title"><?php _e( 'Squad Number', 'sportspress' ); ?></span>
+					<span class="title"><?php esc_html_e( 'Squad Number', 'sportspress' ); ?></span>
 					<span class="input-text-wrap"><input type="text" name="sp_number" class="inline-edit-menu-order-input"></span>
 				</label>
 			</div>
@@ -280,14 +280,14 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 			?>
 		<fieldset class="inline-edit-col-right">
 			<div class="inline-edit-col">
-				<span class="title inline-edit-categories-label"><?php _e( 'Current Teams', 'sportspress' ); ?></span>
+				<span class="title inline-edit-categories-label"><?php esc_html_e( 'Current Teams', 'sportspress' ); ?></span>
 				<input type="hidden" name="sp_current_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
 					<li><label class="selectit"><input value="<?php echo esc_attr( $team->ID ); ?>" type="checkbox" name="sp_current_team[]"> <?php echo esc_html( $team->post_title ); ?></label></li>
 					<?php } ?>
 				</ul>
-				<span class="title inline-edit-categories-label"><?php _e( 'Past Teams', 'sportspress' ); ?></span>
+				<span class="title inline-edit-categories-label"><?php esc_html_e( 'Past Teams', 'sportspress' ); ?></span>
 				<input type="hidden" name="sp_past_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
@@ -367,14 +367,14 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 			?>
 		<fieldset class="inline-edit-col-right">
 			<div class="inline-edit-col">
-				<span class="title inline-edit-categories-label"><?php _e( 'Current Teams', 'sportspress' ); ?></span>
+				<span class="title inline-edit-categories-label"><?php esc_html_e( 'Current Teams', 'sportspress' ); ?></span>
 				<input type="hidden" name="sp_current_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
 					<li><label class="selectit"><input value="<?php echo esc_attr( $team->ID ); ?>" type="checkbox" name="sp_current_team[]"> <?php echo esc_attr( $team->post_title ); ?></label></li>
 					<?php } ?>
 				</ul>
-				<span class="title inline-edit-categories-label"><?php _e( 'Past Teams', 'sportspress' ); ?></span>
+				<span class="title inline-edit-categories-label"><?php esc_html_e( 'Past Teams', 'sportspress' ); ?></span>
 				<input type="hidden" name="sp_past_team[]" value="0">
 				<ul class="cat-checklist">
 					<?php foreach ( $teams as $team ) { ?>
diff --git a/includes/admin/post-types/class-sp-admin-cpt-statistic.php b/includes/admin/post-types/class-sp-admin-cpt-statistic.php
index 9e19f109..3b4739fe 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-statistic.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-statistic.php
@@ -61,7 +61,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Statistic' ) ) :
 		public function custom_columns( $column, $post_id ) {
 			switch ( $column ) :
 				case 'sp_icon':
-					echo has_post_thumbnail( $post_id ) ? edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) : '';
+					echo has_post_thumbnail( $post_id ) ? wp_kses_post( edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) ) : '';
 					break;
 				case 'sp_key':
 					global $post;
diff --git a/includes/admin/post-types/class-sp-admin-cpt-table.php b/includes/admin/post-types/class-sp-admin-cpt-table.php
index 5b19ca83..65a17120 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-table.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-table.php
@@ -67,18 +67,18 @@ if ( ! class_exists( 'SP_Admin_CPT_Table' ) ) :
 		public function custom_columns( $column, $post_id ) {
 			switch ( $column ) :
 				case 'sp_league':
-					echo get_the_terms( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_league' ) ? wp_kses_post( the_terms( $post_id, 'sp_league' ) ) : '&mdash;';
 					break;
 				case 'sp_season':
-					echo get_the_terms( $post_id, 'sp_season' ) ? the_terms( $post_id, 'sp_season' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_season' ) ? wp_kses_post( the_terms( $post_id, 'sp_season' ) ) : '&mdash;';
 					break;
 				case 'sp_team':
 					$select = get_post_meta( $post_id, 'sp_select', true );
 					if ( 'manual' == $select ) :
 						$teams = array_filter( get_post_meta( $post_id, 'sp_team' ) );
-						echo sizeof( $teams );
+						echo esc_html( sizeof( $teams ) );
 					else :
-						_e( 'Auto', 'sportspress' );
+						esc_html_e( 'Auto', 'sportspress' );
 					endif;
 					break;
 			endswitch;
@@ -120,7 +120,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Table' ) ) :
 				'selected'         => $selected,
 				'values'           => 'ID',
 			);
-			wp_dropdown_pages( $args );
+			esc_html( wp_dropdown_pages( $args ) );
 		}
 
 		/**
diff --git a/includes/admin/post-types/class-sp-admin-cpt-team.php b/includes/admin/post-types/class-sp-admin-cpt-team.php
index 3ab56d69..057ab716 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-team.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-team.php
@@ -89,7 +89,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Team' ) ) :
 		public function custom_columns( $column, $post_id ) {
 			switch ( $column ) :
 				case 'sp_icon':
-					echo has_post_thumbnail( $post_id ) ? edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) : '';
+					echo has_post_thumbnail( $post_id ) ? wp_kses_post( edit_post_link( get_the_post_thumbnail( $post_id, 'sportspress-fit-mini' ), '', '', $post_id ) ) : '';
 					break;
 				case 'sp_short_name':
 					$short_name = get_post_meta( $post_id, 'sp_short_name', true );
@@ -100,10 +100,10 @@ if ( ! class_exists( 'SP_Admin_CPT_Team' ) ) :
 					echo $abbreviation ? esc_html( $abbreviation ) : '&mdash;';
 					break;
 				case 'sp_league':
-					echo get_the_terms( $post_id, 'sp_league' ) ? the_terms( $post_id, 'sp_league' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_league' ) ? wp_kses_post( the_terms( $post_id, 'sp_league' ) ) : '&mdash;';
 					break;
 				case 'sp_season':
-					echo get_the_terms( $post_id, 'sp_season' ) ? the_terms( $post_id, 'sp_season' ) : '&mdash;';
+					echo get_the_terms( $post_id, 'sp_season' ) ? wp_kses_post( the_terms( $post_id, 'sp_season' ) ) : '&mdash;';
 					break;
 			endswitch;
 		}
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
index d6b64c08..12bc88fe 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
@@ -157,7 +157,7 @@ class SP_Meta_Box_Event_Performance {
 					?>
 					<div>
 						<p>
-							<strong><?php echo get_the_title( $team_id ); ?></strong>
+							<strong><?php echo wp_kses_post( get_the_title( $team_id ) ); ?></strong>
 							<a class="add-new-h2 sp-add-new-h2" href="
 							<?php
 							echo esc_url(
@@ -175,7 +175,7 @@ class SP_Meta_Box_Event_Performance {
 								)
 							);
 							?>
-																		"><?php _e( 'Import', 'sportspress' ); ?></a>
+																		"><?php esc_html_e( 'Import', 'sportspress' ); ?></a>
 						</p>
 						<?php self::table( $labels, $columns, $data, $team_id, $has_checkboxes && $i === 0, $positions, $status, -1, $formats, $order, $numbers, $team_timeline, $timed, $stars ); ?>
 						<?php do_action( 'sportspress_after_event_performance_table_admin', $labels, $columns, $data, $team_id ); ?>
@@ -262,7 +262,7 @@ class SP_Meta_Box_Event_Performance {
 						?>
 						<div>
 							<p>
-								<strong><?php echo get_the_title( $team_id ); ?> &mdash; <?php echo esc_html( $section_label ); ?></strong>
+								<strong><?php echo wp_kses_post( get_the_title( $team_id ) ); ?> &mdash; <?php echo esc_html( $section_label ); ?></strong>
 								<a class="add-new-h2 sp-add-new-h2" href="
 								<?php
 								echo esc_url(
@@ -278,7 +278,7 @@ class SP_Meta_Box_Event_Performance {
 									)
 								);
 								?>
-																			"><?php _e( 'Import', 'sportspress' ); ?></a>
+																			"><?php esc_html_e( 'Import', 'sportspress' ); ?></a>
 							</p>
 							<?php self::table( $labels[ $section_id ], $columns, $data[ $section_id ], $team_id, ( $has_checkboxes && 0 === $i ), $positions, $status, $section_id, $formats, $order, $numbers, $team_timeline, $timed, $stars ); ?>
 							<?php do_action( 'sportspress_after_event_performance_table_admin', $labels[ $section_id ], $columns, $data[ $section_id ], $team_id ); ?>
@@ -353,10 +353,10 @@ class SP_Meta_Box_Event_Performance {
 				<?php if ( apply_filters( 'sportspress_event_performance_show_numbers', $numbers, $section ) ) { ?>
 					<th>#</th>
 				<?php } ?>
-				<th><?php _e( 'Player', 'sportspress' ); ?></th>
+				<th><?php esc_html_e( 'Player', 'sportspress' ); ?></th>
 				<?php if ( ! empty( $positions ) ) { ?>
 					<th class="column-position">
-						<?php _e( 'Position', 'sportspress' ); ?>
+						<?php esc_html_e( 'Position', 'sportspress' ); ?>
 					</th>
 				<?php } ?>
 				<?php $i = 0; foreach ( $labels as $key => $label ) : ?>
@@ -383,11 +383,11 @@ endforeach;
 				?>
 				<?php if ( apply_filters( 'sportspress_event_performance_show_status', $status, $section ) ) { ?>
 					<th>
-						<?php _e( 'Status', 'sportspress' ); ?>
+						<?php esc_html_e( 'Status', 'sportspress' ); ?>
 					</th>
 				<?php } ?>
 				<?php if ( $stars_type ) { ?>
-					<th><i class="dashicons dashicons-star-filled" title="<?php 1 == $stars_type ? _e( 'Player of the Match', 'sportspress' ) : _e( 'Stars', 'sportspress' ); ?>"></i></th>
+					<th><i class="dashicons dashicons-star-filled" title="<?php 1 == $stars_type ? esc_attr_e( 'Player of the Match', 'sportspress' ) : esc_attr_e( 'Stars', 'sportspress' ); ?>"></i></th>
 				<?php } ?>
 			</tr>
 		</thead>
@@ -409,7 +409,7 @@ endforeach;
 					<?php if ( apply_filters( 'sportspress_event_performance_show_numbers', $numbers, $section ) ) { ?>
 						<td>&nbsp;</td>
 					<?php } ?>
-					<td><strong><?php _e( 'Total', 'sportspress' ); ?></strong></td>
+					<td><strong><?php esc_html_e( 'Total', 'sportspress' ); ?></strong></td>
 					<?php if ( ! empty( $positions ) ) { ?>
 						<td>&nbsp;</td>
 					<?php } ?>
@@ -424,7 +424,7 @@ endforeach;
 						$format             = sp_array_value( $formats, $column, 'number' );
 						$placeholder        = sp_get_format_placeholder( $format );
 						?>
-						<td><input type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" placeholder="<?php echo trim( $placeholder ); ?>" value="<?php echo esc_attr( $value ); ?>" data-sp-format="<?php echo esc_attr( $format ); ?>" /></td>
+						<td><input type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" placeholder="<?php echo esc_attr( trim( $placeholder ) ); ?>" value="<?php echo esc_attr( $value ); ?>" data-sp-format="<?php echo esc_attr( $format ); ?>" /></td>
 					<?php endforeach; ?>
 					<?php if ( apply_filters( 'sportspress_event_performance_show_status', $status, $section ) ) { ?>
 						<td>&nbsp;</td>
@@ -459,7 +459,7 @@ endforeach;
 				</td>
 			<?php } ?>
 			<td>
-				<?php echo apply_filters( 'sportspress_event_performance_player_selection', get_the_title( $player_id ), $player_id ); ?>
+				<?php echo wp_kses_post( apply_filters( 'sportspress_event_performance_player_selection', get_the_title( $player_id ), $player_id ) ); ?>
 				<?php if ( 1 == $section ) { ?>
 					<input type="hidden" name="sp_order[<?php echo esc_attr( $team_id ); ?>][]" value="<?php echo esc_attr( $player_id ); ?>">
 				<?php } ?>
@@ -545,8 +545,8 @@ endforeach;
 							<?php
 							for ( $i = 0; $i < $intval; $i++ ) {
 								?>
-								<input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>][<?php echo $i; ?>]" value="<?php echo esc_attr( sp_array_value( $times, $i, '' ) ); ?>" placeholder="-" /><?php } ?>
-							<span class="description"><?php _e( 'mins', 'sportspress' ); ?></span>
+								<input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>][<?php echo esc_attr( $i ); ?>]" value="<?php echo esc_attr( sp_array_value( $times, $i, '' ) ); ?>" placeholder="-" /><?php } ?>
+							<span class="description"><?php esc_html_e( 'mins', 'sportspress' ); ?></span>
 							<?php
 						}
 					}