From 54eeca28e811c7a82e9c7d0973b60e25346721ce Mon Sep 17 00:00:00 2001
From: savvasha <savvasha@hotmail.com>
Date: Sat, 6 Nov 2021 08:59:30 +0200
Subject: [PATCH] Escape output vars from admin meta-boxes (#3)

---
 .../class-sp-meta-box-player-statistics.php   | 16 +++++++--------
 .../class-sp-meta-box-result-details.php      |  6 +++---
 .../class-sp-meta-box-spec-details.php        |  4 ++--
 .../class-sp-meta-box-staff-details.php       |  4 ++--
 .../class-sp-meta-box-statistic-details.php   |  6 +++---
 .../class-sp-meta-box-table-data.php          | 20 +++++++++----------
 .../class-sp-meta-box-table-details.php       |  6 +++---
 .../class-sp-meta-box-table-format.php        |  2 +-
 .../class-sp-meta-box-table-mode.php          |  2 +-
 .../class-sp-meta-box-team-columns.php        | 13 +++++++-----
 .../class-sp-meta-box-team-lists.php          |  2 +-
 .../class-sp-meta-box-team-staff.php          |  2 +-
 .../class-sp-meta-box-team-tables.php         |  2 +-
 13 files changed, 44 insertions(+), 41 deletions(-)

diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
index efa78652..819793bd 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-player-statistics.php
@@ -35,7 +35,7 @@ class SP_Meta_Box_Player_Statistics {
 				$i = 0;
 				foreach ( $leagues as $league ):
 					?>
-					<p><strong><?php echo $league->name; ?></strong></p>
+					<p><strong><?php echo esc_attr( $league->name ); ?></strong></p>
 					<?php
 					list( $columns, $data, $placeholders, $merged, $seasons_teams, $has_checkboxes, $formats, $total_types ) = $player->data( $league->term_id, true );
 					self::table( $post->ID, $league->term_id, $columns, $data, $placeholders, $merged, $seasons_teams, $has_checkboxes && $i == 0, true, $formats, $total_types );
@@ -62,7 +62,7 @@ class SP_Meta_Box_Player_Statistics {
 					$i = 0;
 					foreach ( $leagues as $league ):
 						?>
-						<p><strong><?php echo $league->name; ?> &mdash; <?php echo $section_label; ?></strong></p>
+						<p><strong><?php echo esc_attr( $league->name ); ?> &mdash; <?php echo esc_attr( $section_label ); ?></strong></p>
 						<?php
 						list( $columns, $data, $placeholders, $merged, $seasons_teams, $has_checkboxes, $formats, $total_types ) = $player->data( $league->term_id, true, $section_id );
 						self::table( $post->ID, $league->term_id, $columns, $data, $placeholders, $merged, $seasons_teams, $has_checkboxes && $i == 0 && $s == 0, $s == 0, $formats, $total_types );
@@ -70,7 +70,7 @@ class SP_Meta_Box_Player_Statistics {
 					endforeach;
 					if ( $show_career_totals ) {
 						?>
-						<p><strong><?php _e( 'Career Total', 'sportspress' ); ?> &mdash; <?php echo $section_label; ?></strong></p>
+						<p><strong><?php _e( 'Career Total', 'sportspress' ); ?> &mdash; <?php echo esc_attr( $section_label ); ?></strong></p>
 						<?php
 						list( $columns, $data, $placeholders, $merged, $seasons_teams, $has_checkboxes, $formats, $total_types ) = $player->data( 0, true, $section_id );
 						self::table( $post->ID, 0, $columns, $data, $placeholders, $merged, $seasons_teams, $has_checkboxes && $i == 0 && $s == 0, $s == 0, $formats, $total_types );
@@ -108,7 +108,7 @@ class SP_Meta_Box_Player_Statistics {
 							</th>
 						<?php endif; ?>
 						<?php foreach ( $columns as $key => $label ): if ( $key == 'team' ) continue; ?>
-							<th><?php echo $label; ?></th>
+							<th><?php echo esc_attr( $label ); ?></th>
 						<?php endforeach; ?>
 						<?php do_action( 'sportspress_meta_box_player_statistics_table_header_row', $id, $league_id ); ?>
 					</tr>
@@ -135,7 +135,7 @@ class SP_Meta_Box_Player_Statistics {
 								}
 
 								if ( $readonly ) {
-									echo $value ? $value : $placeholder;
+									echo $value ? esc_attr( $value ) : esc_attr( $placeholder );
 								} else {
 									if ( 'time' === sp_array_value( $formats, $column, 'number' ) ) {
 										echo '<input class="sp-convert-time-input" type="text" name="sp_times[' . $league_id . '][0][' . $column . ']" value="' . ( '' === $value ? '' : esc_attr( $timeval ) ) . '" placeholder="' . esc_attr( $placeholder ) . '"' . ( $readonly ? ' disabled="disabled"' : '' ) . '  />';
@@ -162,8 +162,8 @@ class SP_Meta_Box_Player_Statistics {
 								<label>
 									<?php if ( ! apply_filters( 'sportspress_player_team_statistics', $league_id ) ): ?>
 										<?php $value = sp_array_value( $leagues, $div_id, '-1' ); ?>
-										<input type="hidden" name="sp_leagues[<?php echo $league_id; ?>][<?php echo $div_id; ?>]" value="-1">
-										<input type="checkbox" name="sp_leagues[<?php echo $league_id; ?>][<?php echo $div_id; ?>]" value="1" <?php checked( $value ); ?>>
+										<input type="hidden" name="sp_leagues[<?php echo esc_attr( $league_id ); ?>][<?php echo esc_attr( $div_id ); ?>]" value="-1">
+										<input type="checkbox" name="sp_leagues[<?php echo esc_attr( $league_id ); ?>][<?php echo esc_attr( $div_id ); ?>]" value="1" <?php checked( $value ); ?>>
 									<?php endif; ?>
 									<?php
 									if ( 0 === $div_id ) _e( 'Total', 'sportspress' );
@@ -225,7 +225,7 @@ class SP_Meta_Box_Player_Statistics {
 									}
 
 									if ( $readonly ) {
-										echo $timeval ? $timeval : $placeholder;
+										echo $timeval ? esc_attr( $timeval ) : esc_attr( $placeholder );
 									} else {
 										if ( 'time' === sp_array_value( $formats, $column, 'number' ) ) {
 											echo '<input class="sp-convert-time-input" type="text" name="sp_times[' . $league_id . '][' . $div_id . '][' . $column . ']" value="' . ( '' === $value ? '' : esc_attr( $timeval ) ) . '" placeholder="' . esc_attr( $placeholder ) . '"' . ( $readonly ? ' disabled="disabled"' : '' ) . ' data-column="' . $column . '" />';
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-result-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-result-details.php
index 64088d88..4cb2d660 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-result-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-result-details.php
@@ -33,12 +33,12 @@ class SP_Meta_Box_Result_Details extends SP_Meta_Box_Config {
 		?>
 		<p><strong><?php _e( 'Variable', 'sportspress' ); ?></strong></p>
 		<p>
-			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo $post->post_name; ?>">
-			<input name="sp_key" type="text" id="sp_key" value="<?php echo $post->post_name; ?>"<?php if ( $readonly ) { ?> readonly="readonly"<?php } ?>> <span class="description">(for, against)</span>
+			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo esc_attr( $post->post_name ); ?>">
+			<input name="sp_key" type="text" id="sp_key" value="<?php echo esc_attr( $post->post_name ); ?>"<?php if ( $readonly ) { ?> readonly="readonly"<?php } ?>> <span class="description">(for, against)</span>
 		</p>
 		<p><strong><?php _e( 'Decimal Places', 'sportspress' ); ?></strong></p>
 		<p class="sp-precision-selector">
-			<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo $precision; ?>" placeholder="0">
+			<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo esc_attr( $precision ); ?>" placeholder="0">
 		</p>
 		<?php
 	}
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-spec-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-spec-details.php
index 6940b6fe..6bedaeec 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-spec-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-spec-details.php
@@ -28,8 +28,8 @@ class SP_Meta_Box_Spec_Details extends SP_Meta_Box_Config {
 		?>
 		<p><strong><?php _e( 'Variable', 'sportspress' ); ?></strong></p>
 		<p>
-			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo $post->post_name; ?>">
-			<input name="sp_key" type="text" id="sp_key" value="<?php echo $post->post_name; ?>">
+			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo esc_attr( $post->post_name ); ?>">
+			<input name="sp_key" type="text" id="sp_key" value="<?php echo esc_attr( $post->post_name ); ?>">
 		</p>
 		<p>
 			<strong><?php _e( 'Visible', 'sportspress' ); ?></strong>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-staff-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-staff-details.php
index 0a1b6367..4c2e8c83 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-staff-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-staff-details.php
@@ -76,9 +76,9 @@ class SP_Meta_Box_Staff_Details {
 		<p><select id="sp_nationality" name="sp_nationality[]" data-placeholder="<?php printf( __( 'Select %s', 'sportspress' ), __( 'Nationality', 'sportspress' ) ); ?>" class="widefat chosen-select<?php if ( is_rtl() ): ?> chosen-rtl<?php endif; ?>" multiple="multiple">
 			<option value=""></option>
 			<?php foreach ( $continents as $continent => $countries ): ?>
-				<optgroup label="<?php echo $continent; ?>">
+				<optgroup label="<?php echo esc_attr( $continent ); ?>">
 					<?php foreach ( $countries as $code => $country ): ?>
-						<option value="<?php echo $code; ?>" <?php selected ( in_array( $code, $nationalities ) ); ?>><?php echo $country; ?></option>
+						<option value="<?php echo esc_attr( $code ); ?>" <?php selected ( in_array( $code, $nationalities ) ); ?>><?php echo esc_attr( $country ); ?></option>
 					<?php endforeach; ?>
 				</optgroup>
 			<?php endforeach; ?>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-statistic-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-statistic-details.php
index 890fd7ea..9eabb300 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-statistic-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-statistic-details.php
@@ -37,12 +37,12 @@ class SP_Meta_Box_Statistic_Details extends SP_Meta_Box_Config {
 		?>
 		<p><strong><?php _e( 'Key', 'sportspress' ); ?></strong></p>
 		<p>
-			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo $post->post_name; ?>">
-			<input name="sp_key" type="text" id="sp_key" value="<?php echo $post->post_name; ?>">
+			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo esc_attr( $post->post_name ); ?>">
+			<input name="sp_key" type="text" id="sp_key" value="<?php echo esc_attr( $post->post_name ); ?>">
 		</p>
 		<p><strong><?php _e( 'Decimal Places', 'sportspress' ); ?></strong></p>
 		<p class="sp-precision-selector">
-			<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo $precision; ?>" placeholder="0">
+			<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo esc_attr( $precision ); ?>" placeholder="0">
 		</p>
 		<p><strong><?php _e( 'Category', 'sportspress' ); ?></strong></p>
 		<p class="sp-section-selector">
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
index 3e81068f..ef667704 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-data.php
@@ -81,11 +81,11 @@ class SP_Meta_Box_Table_Data {
 						<?php } ?>
 						<th><?php _e( 'Team', 'sportspress' ); ?></th>
 						<?php foreach ( $columns as $key => $label ): ?>
-							<th><label for="sp_columns_<?php echo $key; ?>">
+							<th><label for="sp_columns_<?php echo esc_attr( $key ); ?>">
 								<?php if ( ! $readonly ) { ?>
-									<input type="checkbox" name="sp_columns[]" value="<?php echo $key; ?>" id="sp_columns_<?php echo $key; ?>" <?php checked( ! is_array( $usecolumns ) || in_array( $key, $usecolumns ) ); ?>>
+									<input type="checkbox" name="sp_columns[]" value="<?php echo esc_attr( $key ); ?>" id="sp_columns_<?php echo esc_attr( $key ); ?>" <?php checked( ! is_array( $usecolumns ) || in_array( $key, $usecolumns ) ); ?>>
 								<?php } ?>
-								<?php echo $label; ?>
+								<?php echo esc_attr( $label ); ?>
 							</label></th>
 						<?php endforeach; ?>
 					</tr>
@@ -104,19 +104,19 @@ class SP_Meta_Box_Table_Data {
 							?>
 							<tr class="sp-row sp-post<?php if ( $i % 2 == 0 ) echo ' alternate'; ?>">
 								<?php if ( ! $readonly ) { ?>
-									<td><input type="radio" class="sp-radio-toggle" name="sp_highlight" value="<?php echo $team_id; ?>" <?php checked( $highlight, $team_id ); ?> <?php disabled( $readonly ); ?>></td>
+									<td><input type="radio" class="sp-radio-toggle" name="sp_highlight" value="<?php echo esc_attr( $team_id ); ?>" <?php checked( $highlight, $team_id ); ?> <?php disabled( $readonly ); ?>></td>
 								<?php } ?>
 								<td>
 									<?php if ( $show_team_logo ) echo get_the_post_thumbnail( $team_id, 'sportspress-fit-mini' ); ?>
 									<?php if ( $readonly ) { ?>
-										<?php echo $default_name; ?>
+										<?php echo esc_attr( $default_name ); ?>
 									<?php } else { ?>
 										<span class="sp-default-value">
-											<span class="sp-default-value-input"><?php echo $default_name; ?></span>
+											<span class="sp-default-value-input"><?php echo esc_attr( $default_name ); ?></span>
 											<a class="dashicons dashicons-edit sp-edit" title="<?php _e( 'Edit', 'sportspress' ); ?>"></a>
 										</span>
 										<span class="hidden sp-custom-value">
-											<input type="text" name="sp_teams[<?php echo $team_id; ?>][name]" class="name sp-custom-value-input" value="<?php echo esc_attr( sp_array_value( $team_stats, 'name', '' ) ); ?>" placeholder="<?php echo esc_attr( get_the_title( $team_id ) ); ?>" size="6">
+											<input type="text" name="sp_teams[<?php echo esc_attr( $team_id ); ?>][name]" class="name sp-custom-value-input" value="<?php echo esc_attr( sp_array_value( $team_stats, 'name', '' ) ); ?>" placeholder="<?php echo esc_attr( get_the_title( $team_id ) ); ?>" size="6">
 											<a class="button button-secondary sp-cancel"><?php _e( 'Cancel', 'sportspress' ); ?></a>
 											<a class="button button-primary sp-save"><?php _e( 'Save', 'sportspress' ); ?></a>
 										</span>
@@ -127,7 +127,7 @@ class SP_Meta_Box_Table_Data {
 									$placeholder = sp_array_value( sp_array_value( $placeholders, $team_id, array() ), $column, 0 );
 									$placeholder = wp_strip_all_tags( $placeholder );
 									?>
-									<td><input type="text" name="sp_teams[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" data-placeholder="<?php echo esc_attr( $placeholder ); ?>" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" data-adjustment="<?php echo esc_attr( sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, 0 ) ); ?>" <?php disabled( $readonly ); ?> /></td>
+									<td><input type="text" name="sp_teams[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" data-placeholder="<?php echo esc_attr( $placeholder ); ?>" data-matrix="<?php echo esc_attr( $team_id ); ?>_<?php echo esc_attr( $column ); ?>" data-adjustment="<?php echo esc_attr( sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, 0 ) ); ?>" <?php disabled( $readonly ); ?> /></td>
 								<?php endforeach; ?>
 							</tr>
 							<?php
@@ -152,7 +152,7 @@ class SP_Meta_Box_Table_Data {
 					<tr>
 						<th><?php _e( 'Team', 'sportspress' ); ?></th>
 						<?php foreach ( $columns as $key => $label ): ?>
-							<th><?php echo $label; ?></th>
+							<th><?php echo esc_attr( $label ); ?></th>
 						<?php endforeach; ?>
 					</tr>
 				</thead>
@@ -171,7 +171,7 @@ class SP_Meta_Box_Table_Data {
 								<?php foreach( $columns as $column => $label ):
 									$value = sp_array_value( sp_array_value( $adjustments, $team_id, array() ), $column, '' );
 									?>
-									<td><input type="text" name="sp_adjustments[<?php echo $team_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" data-matrix="<?php echo $team_id; ?>_<?php echo $column; ?>" /></td>
+									<td><input type="text" name="sp_adjustments[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="0" data-matrix="<?php echo esc_attr( $team_id ); ?>_<?php echo esc_attr( $column ); ?>" /></td>
 								<?php endforeach; ?>
 							</tr>
 							<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-details.php
index 87b07179..42926f06 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-details.php
@@ -54,14 +54,14 @@ class SP_Meta_Box_Table_Details {
 				</p>
 				<div class="sp-date-range">
 					<p class="sp-date-range-absolute">
-						<input type="text" class="sp-datepicker-from" name="sp_date_from" value="<?php echo $date_from ? $date_from : date_i18n( 'Y-m-d' ); ?>" size="10">
+						<input type="text" class="sp-datepicker-from" name="sp_date_from" value="<?php echo $date_from ? esc_attr( $date_from ) : date_i18n( 'Y-m-d' ); ?>" size="10">
 						:
-						<input type="text" class="sp-datepicker-to" name="sp_date_to" value="<?php echo $date_to ? $date_to : date_i18n( 'Y-m-d' ); ?>" size="10">
+						<input type="text" class="sp-datepicker-to" name="sp_date_to" value="<?php echo $date_to ? esc_attr( $date_to ) : date_i18n( 'Y-m-d' ); ?>" size="10">
 					</p>
 
 					<p class="sp-date-range-relative">
 						<?php _e( 'Past', 'sportspress' ); ?>
-						<input type="number" min="0" step="1" class="tiny-text" name="sp_date_past" value="<?php echo '' !== $date_past ? $date_past : 7; ?>">
+						<input type="number" min="0" step="1" class="tiny-text" name="sp_date_past" value="<?php echo '' !== $date_past ? esc_attr( $date_past ) : 7; ?>">
 						<?php _e( 'days', 'sportspress' ); ?>
 					</p>
 
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-format.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-format.php
index cc83a0fb..414c1f6f 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-format.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-format.php
@@ -24,7 +24,7 @@ class SP_Meta_Box_Table_Format {
 		?>
 		<div id="post-formats-select">
 			<?php foreach ( SP()->formats->table as $key => $format ): ?>
-				<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( true, ( $key == 'standings' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $format; ?></label><br>
+				<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( true, ( $key == 'standings' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></label><br>
 			<?php endforeach; ?>
 		</div>
 		<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-mode.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-mode.php
index 06d230e9..6485e0ae 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-mode.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-table-mode.php
@@ -23,7 +23,7 @@ class SP_Meta_Box_Table_Mode {
     ?>
     <div id="post-formats-select">
       <?php foreach ( array( 'team' => __( 'Team vs team', 'sportspress' ), 'player' => __( 'Player vs player', 'sportspress' ) ) as $key => $mode ): ?>
-        <input type="radio" name="sp_mode" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( $the_mode, $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $mode; ?></label><br>
+        <input type="radio" name="sp_mode" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( $the_mode, $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $mode ); ?></label><br>
       <?php endforeach; ?>
     </div>
     <?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-columns.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-columns.php
index e8c297fa..292629b8 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-columns.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-columns.php
@@ -28,7 +28,7 @@ class SP_Meta_Box_Team_Columns {
 
 			$league_id = $league->term_id;
 			?>
-			<p><strong><?php echo $league->name; ?></strong></p>
+			<p><strong><?php echo esc_attr( $league->name ); ?></strong></p>
 			<?php
 			list( $columns, $data, $placeholders ) = $team->columns( $league_id );
 			self::table( $league_id, $columns, $data, $placeholders );
@@ -59,7 +59,7 @@ class SP_Meta_Box_Team_Columns {
 					<tr>
 						<th><?php _e( 'Season', 'sportspress' ); ?></th>
 						<?php foreach ( $columns as $label ): ?>
-							<th><?php echo $label; ?></th>
+							<th><?php echo esc_attr( $label ); ?></th>
 						<?php endforeach; ?>
 					</tr>
 				</thead>
@@ -71,10 +71,13 @@ class SP_Meta_Box_Team_Columns {
 						?>
 						<tr class="sp-row sp-post<?php if ( $i % 2 == 0 ) echo ' alternate'; ?>">
 							<td>
-								<label for="sp_leagues_<?php echo $league_id; ?>_<?php echo $div_id; ?>">
+								<label for="sp_leagues_<?php echo esc_attr( $league_id ); ?>_<?php echo esc_attr( $div_id ); ?>">
 									<?php
-									if ( 'WP_Error' == get_class( $div ) ) _e( 'Total', 'sportspress' );
-									else echo $div->name;
+									if ( 'WP_Error' == get_class( $div ) ) :
+										_e( 'Total', 'sportspress' );
+									else :
+										echo esc_attr( $div->name );
+									endif;
 									?>
 								</label>
 							</td>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-lists.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-lists.php
index 875a0dff..7d6ce856 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-lists.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-lists.php
@@ -83,7 +83,7 @@ class SP_Meta_Box_Team_Lists {
 									</td>
 									<td>
 										<a href="<?php echo get_edit_post_link( $list->ID ); ?>">
-											<?php echo $list->post_title; ?>
+											<?php echo esc_attr( $list->post_title ); ?>
 										</a>
 									</td>
 									<td><?php echo sizeof( $players ); ?></td>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-staff.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-staff.php
index 1d739398..b53c31af 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-staff.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-staff.php
@@ -79,7 +79,7 @@ class SP_Meta_Box_Team_Staff {
 									</td>
 									<td>
 										<a href="<?php echo get_edit_post_link( $staff->ID ); ?>">
-											<?php echo $staff->post_title; ?>
+											<?php echo esc_attr( $staff->post_title ); ?>
 										</a>
 									</td>
 									<td><?php echo get_the_terms ( $staff->ID, 'sp_role' ) ? the_terms( $staff->ID, 'sp_role' ) : '&mdash;'; ?></td>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-tables.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-tables.php
index 916fce61..76e636e8 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-tables.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-team-tables.php
@@ -80,7 +80,7 @@ class SP_Meta_Box_Team_Tables {
 									</td>
 									<td>
 										<a href="<?php echo get_edit_post_link( $table->ID ); ?>">
-											<?php echo $table->post_title; ?>
+											<?php echo esc_attr( $table->post_title ); ?>
 										</a>
 									</td>
 									<td><?php echo sizeof( $teams ); ?></td>