Escape output vars from admin meta-boxes (#1)
This commit is contained in:
savvasha
@@ -62,8 +62,8 @@ class SP_Meta_Box_Calendar_Columns {
|
||||
?>
|
||||
<li>
|
||||
<label>
|
||||
<input type="checkbox" name="sp_columns[]" value="<?php echo $key; ?>" id="sp_columns_<?php echo $key; ?>" <?php checked( ! is_array( $selected ) || in_array( $key, $selected ) ); ?>>
|
||||
<?php echo $label; ?>
|
||||
<input type="checkbox" name="sp_columns[]" value="<?php echo esc_attr( $key ); ?>" id="sp_columns_<?php echo esc_attr( $key ); ?>" <?php checked( ! is_array( $selected ) || in_array( $key, $selected ) ); ?>>
|
||||
<?php echo esc_attr( $label ); ?>
|
||||
</label>
|
||||
</li>
|
||||
<?php
|
||||
|
||||
@@ -141,7 +141,7 @@ class SP_Meta_Box_Calendar_Data {
|
||||
<td><?php echo get_post_time( get_option( 'date_format' ), false, $event, true ); ?></td>
|
||||
<?php if ( is_array( $usecolumns ) && in_array( 'event', $usecolumns ) ) { ?>
|
||||
<td>
|
||||
<div class="sp-title-format sp-title-format-title<?php if ( $title_format && $title_format != 'title' ): ?> hidden<?php endif; ?>"><?php echo $event->post_title; ?></div>
|
||||
<div class="sp-title-format sp-title-format-title<?php if ( $title_format && $title_format != 'title' ): ?> hidden<?php endif; ?>"><?php echo esc_attr( $event->post_title ); ?></div>
|
||||
<div class="sp-title-format sp-title-format-teams sp-title-format-homeaway<?php if ( ! in_array( $title_format, array( 'teams', 'homeaway' ) ) ): ?> hidden<?php endif; ?>">
|
||||
<?php
|
||||
if ( $teams ): foreach ( $teams as $team ):
|
||||
@@ -168,7 +168,7 @@ class SP_Meta_Box_Calendar_Data {
|
||||
echo '<a class="result sp-tip" title="' . $team_results . '" href="' . get_edit_post_link( $event->ID ) . '">' . $team_result . '</a> ';
|
||||
endif;
|
||||
|
||||
echo $name . '<br>';
|
||||
echo esc_attr( $name ) . '<br>';
|
||||
endif;
|
||||
endforeach; else:
|
||||
echo '—';
|
||||
@@ -241,7 +241,7 @@ class SP_Meta_Box_Calendar_Data {
|
||||
if ( '' == $day ) {
|
||||
echo '—';
|
||||
} else {
|
||||
echo $day;
|
||||
echo esc_attr( $day );
|
||||
}
|
||||
?>
|
||||
</td>
|
||||
|
||||
@@ -56,7 +56,7 @@ class SP_Meta_Box_Calendar_Details {
|
||||
<select name="sp_event_format" class="postform">
|
||||
<option value="all">All</option>
|
||||
<?php foreach ( SP()->formats->event as $key => $format ): ?>
|
||||
<option value="<?php echo $key; ?>" <?php selected( $event_format, $key ); ?>><?php echo $format; ?></option>
|
||||
<option value="<?php echo esc_attr( $key ); ?>" <?php selected( $event_format, $key ); ?>><?php echo esc_attr( $format ); ?></option>
|
||||
<?php endforeach; ?>
|
||||
</select>
|
||||
</p>
|
||||
@@ -74,9 +74,9 @@ class SP_Meta_Box_Calendar_Details {
|
||||
</p>
|
||||
<div class="sp-date-range">
|
||||
<p class="sp-date-range-absolute">
|
||||
<input type="text" class="sp-datepicker-from" name="sp_date_from" value="<?php echo $date_from ? $date_from : date_i18n( 'Y-m-d' ); ?>" size="10">
|
||||
<input type="text" class="sp-datepicker-from" name="sp_date_from" value="<?php echo $date_from ? esc_attr( $date_from ) : date_i18n( 'Y-m-d' ); ?>" size="10">
|
||||
:
|
||||
<input type="text" class="sp-datepicker-to" name="sp_date_to" value="<?php echo $date_to ? $date_to : date_i18n( 'Y-m-d' ); ?>" size="10">
|
||||
<input type="text" class="sp-datepicker-to" name="sp_date_to" value="<?php echo $date_to ? esc_attr( $date_to ) : date_i18n( 'Y-m-d' ); ?>" size="10">
|
||||
</p>
|
||||
|
||||
<p class="sp-date-range-relative">
|
||||
|
||||
@@ -42,10 +42,10 @@ class SP_Meta_Box_Calendar_Feeds {
|
||||
?>
|
||||
<p>
|
||||
<strong><?php echo sp_array_value( $format, 'name' ); ?></strong>
|
||||
<a class="sp-link" href="<?php echo $feed; ?>" target="_blank" title="<?php _e( 'Link', 'sportspress' ); ?>"></a>
|
||||
<a class="sp-link" href="<?php echo esc_attr( $feed ); ?>" target="_blank" title="<?php _e( 'Link', 'sportspress' ); ?>"></a>
|
||||
</p>
|
||||
<p>
|
||||
<input type="text" value="<?php echo $feed; ?>" readonly="readonly" class="code widefat">
|
||||
<input type="text" value="<?php echo esc_attr( $feed ); ?>" readonly="readonly" class="code widefat">
|
||||
</p>
|
||||
<?php } ?>
|
||||
<?php } ?>
|
||||
|
||||
@@ -24,7 +24,7 @@ class SP_Meta_Box_Calendar_Format {
|
||||
?>
|
||||
<div id="post-formats-select">
|
||||
<?php foreach ( SP()->formats->calendar as $key => $format ): ?>
|
||||
<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( true, ( $key == 'calendar' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $format; ?></label><br>
|
||||
<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( true, ( $key == 'calendar' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></label><br>
|
||||
<?php endforeach; ?>
|
||||
</div>
|
||||
<?php
|
||||
|
||||
@@ -33,12 +33,12 @@ class SP_Meta_Box_Column_Details extends SP_Meta_Box_Config {
|
||||
?>
|
||||
<p><strong><?php _e( 'Key', 'sportspress' ); ?></strong></p>
|
||||
<p>
|
||||
<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo $post->post_name; ?>">
|
||||
<input name="sp_key" type="text" id="sp_key" value="<?php echo $post->post_name; ?>">
|
||||
<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo esc_attr( $post->post_name ); ?>">
|
||||
<input name="sp_key" type="text" id="sp_key" value="<?php echo esc_attr( $post->post_name ); ?>">
|
||||
</p>
|
||||
<p><strong><?php _e( 'Decimal Places', 'sportspress' ); ?></strong></p>
|
||||
<p class="sp-precision-selector">
|
||||
<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo $precision; ?>" placeholder="0">
|
||||
<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo esc_attr( $precision ); ?>" placeholder="0">
|
||||
</p>
|
||||
<p><strong><?php _e( 'Sort Order', 'sportspress' ); ?></strong></p>
|
||||
<p class="sp-order-selector">
|
||||
|
||||
@@ -58,7 +58,7 @@ class SP_Meta_Box_Equation {
|
||||
endforeach;
|
||||
|
||||
// Add operators to options
|
||||
$options[ 'Operators' ] = array( '+' => '+', '-' => '−', '*' => '×', '/' => '÷', '(' => '(', ')' => ')' );
|
||||
$options[ 'Operators' ] = array( '+' => '+', '-' => '−', '*' => '×', '/' => '÷', '(' => '(', ')' => ')' );
|
||||
|
||||
// Create array of constants
|
||||
$max = 10;
|
||||
@@ -83,7 +83,7 @@ class SP_Meta_Box_Equation {
|
||||
<th><?php _e( $label, 'sportspress' ); ?></th>
|
||||
<td>
|
||||
<?php foreach ( $option as $key => $value ): $parts[ $key ] = $value;
|
||||
?><span class="button" data-variable="<?php echo $key; ?>"><?php echo $value; ?></span><?php
|
||||
?><span class="button" data-variable="<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $value ); ?></span><?php
|
||||
endforeach; ?>
|
||||
</td>
|
||||
</tr>
|
||||
@@ -91,7 +91,7 @@ class SP_Meta_Box_Equation {
|
||||
</table>
|
||||
</div>
|
||||
<div class="sp-equation">
|
||||
<span class="sp-equation-variable"><?php echo $title; ?> = </span>
|
||||
<span class="sp-equation-variable"><?php echo esc_attr( $title ); ?> = </span>
|
||||
<span class="sp-equation-formula"><?php
|
||||
$equation = trim( $equation );
|
||||
if ( $equation !== '' ):
|
||||
@@ -101,7 +101,7 @@ class SP_Meta_Box_Equation {
|
||||
$name = $parts[ $part ];
|
||||
} else {
|
||||
$name = $part;
|
||||
} ?><span class="button"><?php echo $name; ?><span class="remove">×</span><input type="hidden" name="sp_equation[]" value="<?php echo $part; ?>"></span><?php
|
||||
} ?><span class="button"><?php echo esc_attr( $name ); ?><span class="remove">×</span><input type="hidden" name="sp_equation[]" value="<?php echo esc_attr( $part ); ?>"></span><?php
|
||||
endforeach;
|
||||
endif;
|
||||
?></span>
|
||||
|
||||
@@ -24,7 +24,7 @@ class SP_Meta_Box_Event_Format {
|
||||
?>
|
||||
<div id="post-formats-select">
|
||||
<?php foreach ( SP()->formats->event as $key => $format ): ?>
|
||||
<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( true, ( $key == 'league' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $format; ?></label><br>
|
||||
<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( true, ( $key == 'league' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></label><br>
|
||||
<?php endforeach; ?>
|
||||
</div>
|
||||
<?php
|
||||
|
||||
@@ -23,7 +23,7 @@ class SP_Meta_Box_Event_Mode {
|
||||
?>
|
||||
<div id="post-formats-select">
|
||||
<?php foreach ( array( 'team' => __( 'Team vs team', 'sportspress' ), 'player' => __( 'Player vs player', 'sportspress' ) ) as $key => $mode ): ?>
|
||||
<input type="radio" name="sp_mode" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( $the_mode, $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $mode; ?></label><br>
|
||||
<input type="radio" name="sp_mode" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( $the_mode, $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $mode ); ?></label><br>
|
||||
<?php endforeach; ?>
|
||||
</div>
|
||||
<?php
|
||||
|
||||
@@ -42,7 +42,7 @@ class SP_Meta_Box_Event_Officials {
|
||||
if ( is_array( $duties ) && sizeof( $duties ) ) {
|
||||
foreach ( $duties as $duty ) {
|
||||
?>
|
||||
<p><strong><?php echo $duty->name; ?></strong></p>
|
||||
<p><strong><?php echo esc_attr( $duty->name ); ?></strong></p>
|
||||
<p><?php
|
||||
$args = array(
|
||||
'post_type' => 'sp_official',
|
||||
|
||||
@@ -233,7 +233,7 @@ class SP_Meta_Box_Event_Performance {
|
||||
?>
|
||||
<div>
|
||||
<p>
|
||||
<strong><?php echo get_the_title( $team_id ); ?> — <?php echo $section_label; ?></strong>
|
||||
<strong><?php echo get_the_title( $team_id ); ?> — <?php echo esc_attr( $section_label ); ?></strong>
|
||||
<a class="add-new-h2 sp-add-new-h2" href="<?php echo esc_url( admin_url( add_query_arg( array( 'import' => 'sp_event_performance_csv', 'event' => $post_id, 'team' => $team_id ), 'admin.php' ) ) ); ?>"><?php _e( 'Import', 'sportspress' ); ?></a>
|
||||
</p>
|
||||
<?php self::table( $labels[ $section_id ], $columns, $data[ $section_id ], $team_id, ( $has_checkboxes && 0 === $i ), $positions, $status, $section_id, $formats, $order, $numbers, $team_timeline, $timed, $stars ); ?>
|
||||
@@ -322,12 +322,12 @@ class SP_Meta_Box_Event_Performance {
|
||||
<?php if ( 0 == $i ): ?>
|
||||
<input type="hidden" name="sp_columns[]" value="">
|
||||
<?php endif; ?>
|
||||
<label for="sp_columns_<?php echo $key; ?>">
|
||||
<input type="checkbox" name="sp_columns[]" value="<?php echo $key; ?>" id="sp_columns_<?php echo $key; ?>" <?php checked( ! is_array( $columns ) || in_array( $key, $columns ) ); ?>>
|
||||
<?php echo $label; ?>
|
||||
<label for="sp_columns_<?php echo esc_attr( $key ); ?>">
|
||||
<input type="checkbox" name="sp_columns[]" value="<?php echo esc_attr( $key ); ?>" id="sp_columns_<?php echo esc_attr( $key ); ?>" <?php checked( ! is_array( $columns ) || in_array( $key, $columns ) ); ?>>
|
||||
<?php echo esc_attr( $label ); ?>
|
||||
</label>
|
||||
<?php else: ?>
|
||||
<?php echo $label; ?>
|
||||
<?php echo esc_attr( $label ); ?>
|
||||
<?php endif; ?>
|
||||
</th>
|
||||
<?php $i++; endforeach; ?>
|
||||
@@ -371,7 +371,7 @@ class SP_Meta_Box_Event_Performance {
|
||||
$format = sp_array_value( $formats, $column, 'number' );
|
||||
$placeholder = sp_get_format_placeholder( $format );
|
||||
?>
|
||||
<td><input type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" placeholder="<?php echo trim( $placeholder ); ?>" value="<?php echo esc_attr( $value ); ?>" data-sp-format="<?php echo $format; ?>" /></td>
|
||||
<td><input type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" placeholder="<?php echo trim( $placeholder ); ?>" value="<?php echo esc_attr( $value ); ?>" data-sp-format="<?php echo esc_attr( $format ); ?>" /></td>
|
||||
<?php endforeach; ?>
|
||||
<?php if ( apply_filters( 'sportspress_event_performance_show_status', $status, $section ) ) { ?>
|
||||
<td> </td>
|
||||
@@ -394,19 +394,19 @@ class SP_Meta_Box_Event_Performance {
|
||||
$stars_type = get_option( 'sportspress_event_performance_stars_type', 0 );
|
||||
$value = sp_array_value( $player_performance, 'number', '' );
|
||||
?>
|
||||
<tr class="sp-row sp-post" data-player="<?php echo $player_id; ?>">
|
||||
<tr class="sp-row sp-post" data-player="<?php echo esc_attr( $player_id ); ?>">
|
||||
<?php if ( $sortable ) { ?>
|
||||
<td class="icon"><span class="dashicons dashicons-menu post-state-format"></span></td>
|
||||
<?php } ?>
|
||||
<?php if ( apply_filters( 'sportspress_event_performance_show_numbers', $numbers, $section ) ) { ?>
|
||||
<td>
|
||||
<input class="small-text sp-player-number-input sp-sync-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][number]" value="<?php echo esc_attr( $value ); ?>" />
|
||||
<input class="small-text sp-player-number-input sp-sync-input" type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][number]" value="<?php echo esc_attr( $value ); ?>" />
|
||||
</td>
|
||||
<?php } ?>
|
||||
<td>
|
||||
<?php echo apply_filters( 'sportspress_event_performance_player_selection', get_the_title( $player_id ), $player_id ); ?>
|
||||
<?php if ( 1 == $section ) { ?>
|
||||
<input type="hidden" name="sp_order[<?php echo $team_id; ?>][]" value="<?php echo $player_id; ?>">
|
||||
<input type="hidden" name="sp_order[<?php echo esc_attr( $team_id ); ?>][]" value="<?php echo esc_attr( $player_id ); ?>">
|
||||
<?php } ?>
|
||||
</td>
|
||||
<?php if ( $positions ) { ?>
|
||||
@@ -462,13 +462,13 @@ class SP_Meta_Box_Event_Performance {
|
||||
$timeval = preg_replace( '/^0/', '', $timeval );
|
||||
?>
|
||||
|
||||
<input class="sp-player-<?php echo $column; ?>-input sp-convert-time-input sp-sync-input" type="text" name="sp_times[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $timeval ); ?>" placeholder="<?php echo $placeholder; ?>" />
|
||||
<input class="sp-convert-time-output" type="hidden" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" />
|
||||
<input class="sp-player-<?php echo esc_attr( $column ); ?>-input sp-convert-time-input sp-sync-input" type="text" name="sp_times[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $timeval ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
|
||||
<input class="sp-convert-time-output" type="hidden" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $value ); ?>" />
|
||||
<?php } elseif ( 'checkbox' === $format ) { ?>
|
||||
<input type="hidden" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="0" />
|
||||
<input class="sp-player-<?php echo $column; ?>-input sp-sync-input" type="checkbox" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="1" data-value="<?php echo $value; ?>" <?php checked( $value ); ?> />
|
||||
<input type="hidden" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="0" />
|
||||
<input class="sp-player-<?php echo esc_attr( $column ); ?>-input sp-sync-input" type="checkbox" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="1" data-value="<?php echo esc_attr( $value ); ?>" <?php checked( $value ); ?> />
|
||||
<?php } else { ?>
|
||||
<input class="sp-player-<?php echo $column; ?>-input sp-sync-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo $placeholder; ?>" />
|
||||
<input class="sp-player-<?php echo esc_attr( $column ); ?>-input sp-sync-input" type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
|
||||
<?php } ?>
|
||||
|
||||
<?php if ( $intval && in_array( $column, $timed ) ) { ?>
|
||||
@@ -483,7 +483,7 @@ class SP_Meta_Box_Event_Performance {
|
||||
if ( is_array( $times ) ) {
|
||||
?>
|
||||
<hr>
|
||||
<?php for ( $i = 0; $i < $intval; $i++ ) { ?><input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>][<?php echo $i; ?>]" value="<?php echo esc_attr( sp_array_value( $times, $i, '' ) ); ?>" placeholder="-" /><?php } ?>
|
||||
<?php for ( $i = 0; $i < $intval; $i++ ) { ?><input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>][<?php echo $i; ?>]" value="<?php echo esc_attr( sp_array_value( $times, $i, '' ) ); ?>" placeholder="-" /><?php } ?>
|
||||
<span class="description"><?php _e( 'mins', 'sportspress' ); ?></span>
|
||||
<?php
|
||||
}
|
||||
@@ -504,7 +504,7 @@ class SP_Meta_Box_Event_Performance {
|
||||
<?php echo self::status_select( $team_id, $player_id, sp_array_value( $player_performance, 'status', null ) ); ?><br>
|
||||
<?php echo self::sub_select( $team_id, $player_id, sp_array_value( $player_performance, 'sub', null ), $data ); ?><br>
|
||||
<?php if ( is_array( $times ) ) { ?>
|
||||
<input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo $team_id; ?>][<?php echo $player_id; ?>][sub][]" value="<?php echo esc_attr( sp_array_value( $times, 0, '' ) ); ?>" placeholder="-" />
|
||||
<input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][sub][]" value="<?php echo esc_attr( sp_array_value( $times, 0, '' ) ); ?>" placeholder="-" />
|
||||
<span class="description"><?php _e( 'mins', 'sportspress' ); ?></span>
|
||||
<?php } ?>
|
||||
</td>
|
||||
|
||||
Reference in New Issue
Block a user