From 54868464f0ea2fa3c2c67d9374fa7362339e7443 Mon Sep 17 00:00:00 2001
From: savvasha <savvasha@hotmail.com>
Date: Sun, 28 Nov 2021 11:58:41 +0200
Subject: [PATCH] FIX: The returned input field was not escaped correctly

---
 .../class-sp-meta-box-player-statistics.php         | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
index 1727f125..f2296702 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
@@ -199,7 +199,18 @@ class SP_Meta_Box_Player_Statistics {
 									if ( 0 === $div_id ) {
 										esc_attr_e( 'Total', 'sportspress' );
 									} elseif ( 'WP_Error' != get_class( $div ) ) {
-										echo esc_attr( apply_filters( 'sportspress_meta_box_player_statistics_season_name', $div->name, $league_id, $div_id, $div_stats ) );
+										$allowed_html = array(
+															'input'      => array(
+																'type'  => array(),
+																'class' => array(),
+																'name' => array(),
+																'value' => array(),
+																'size' => array(),
+																'placeholder' => array(),
+																'id' => array(),
+															),
+														);
+										echo wp_kses( apply_filters( 'sportspress_meta_box_player_statistics_season_name', $div->name, $league_id, $div_id, $div_stats ), $allowed_html );
 									}
 									?>
 								</label>