From 696670e5d530c25ed5f6debb7f82d93ba338e525 Mon Sep 17 00:00:00 2001
From: savvasha <savvasha@hotmail.com>
Date: Fri, 5 Nov 2021 17:56:58 +0200
Subject: [PATCH] Escape output vars from admin meta-boxes (#1)

---
 .../class-sp-meta-box-calendar-columns.php    |  4 +--
 .../class-sp-meta-box-calendar-data.php       |  6 ++--
 .../class-sp-meta-box-calendar-details.php    |  6 ++--
 .../class-sp-meta-box-calendar-feeds.php      |  4 +--
 .../class-sp-meta-box-calendar-format.php     |  2 +-
 .../class-sp-meta-box-column-details.php      |  6 ++--
 .../meta-boxes/class-sp-meta-box-equation.php |  8 ++---
 .../class-sp-meta-box-event-format.php        |  2 +-
 .../class-sp-meta-box-event-mode.php          |  2 +-
 .../class-sp-meta-box-event-officials.php     |  2 +-
 .../class-sp-meta-box-event-performance.php   | 32 +++++++++----------
 11 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-columns.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-columns.php
index c0ded109..eebcfb7b 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-columns.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-columns.php
@@ -62,8 +62,8 @@ class SP_Meta_Box_Calendar_Columns {
 					?>
 					<li>
 						<label>
-							<input type="checkbox" name="sp_columns[]" value="<?php echo $key; ?>" id="sp_columns_<?php echo $key; ?>" <?php checked( ! is_array( $selected ) || in_array( $key, $selected ) ); ?>>
-							<?php echo $label; ?>
+							<input type="checkbox" name="sp_columns[]" value="<?php echo esc_attr( $key ); ?>" id="sp_columns_<?php echo esc_attr( $key ); ?>" <?php checked( ! is_array( $selected ) || in_array( $key, $selected ) ); ?>>
+							<?php echo esc_attr( $label ); ?>
 						</label>
 					</li>
 					<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-data.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-data.php
index f6c365fb..b3438805 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-data.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-data.php
@@ -141,7 +141,7 @@ class SP_Meta_Box_Calendar_Data {
 									<td><?php echo get_post_time( get_option( 'date_format' ), false, $event, true ); ?></td>
 									<?php if ( is_array( $usecolumns ) && in_array( 'event', $usecolumns ) ) { ?>
 										<td>
-											<div class="sp-title-format sp-title-format-title<?php if ( $title_format && $title_format != 'title' ): ?> hidden<?php endif; ?>"><?php echo $event->post_title; ?></div>
+											<div class="sp-title-format sp-title-format-title<?php if ( $title_format && $title_format != 'title' ): ?> hidden<?php endif; ?>"><?php echo esc_attr( $event->post_title ); ?></div>
 											<div class="sp-title-format sp-title-format-teams sp-title-format-homeaway<?php if ( ! in_array( $title_format, array( 'teams', 'homeaway' ) ) ): ?> hidden<?php endif; ?>">
 												<?php
 												if ( $teams ): foreach ( $teams as $team ):
@@ -168,7 +168,7 @@ class SP_Meta_Box_Calendar_Data {
 															echo '<a class="result sp-tip" title="' . $team_results . '" href="' . get_edit_post_link( $event->ID ) . '">' . $team_result . '</a> ';
 														endif;
 
-														echo $name . '<br>';
+														echo esc_attr( $name ) . '<br>';
 													endif;
 												endforeach; else:
 													echo '&mdash;';
@@ -241,7 +241,7 @@ class SP_Meta_Box_Calendar_Data {
 											if ( '' == $day ) {
 												echo '&mdash;';
 											} else {
-												echo $day;
+												echo esc_attr( $day );
 											}
 											?>
 										</td>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-details.php
index db522044..67764536 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-details.php
@@ -56,7 +56,7 @@ class SP_Meta_Box_Calendar_Details {
 				<select name="sp_event_format" class="postform">
 					<option value="all">All</option>
 					<?php foreach ( SP()->formats->event as $key => $format ): ?>
-						<option value="<?php echo $key; ?>" <?php selected( $event_format, $key ); ?>><?php echo $format; ?></option>
+						<option value="<?php echo esc_attr( $key ); ?>" <?php selected( $event_format, $key ); ?>><?php echo esc_attr( $format ); ?></option>
 					<?php endforeach; ?>
 				</select>
 			</p>
@@ -74,9 +74,9 @@ class SP_Meta_Box_Calendar_Details {
 				</p>
 				<div class="sp-date-range">
 					<p class="sp-date-range-absolute">
-						<input type="text" class="sp-datepicker-from" name="sp_date_from" value="<?php echo $date_from ? $date_from : date_i18n( 'Y-m-d' ); ?>" size="10">
+						<input type="text" class="sp-datepicker-from" name="sp_date_from" value="<?php echo $date_from ? esc_attr( $date_from ) : date_i18n( 'Y-m-d' ); ?>" size="10">
 						:
-						<input type="text" class="sp-datepicker-to" name="sp_date_to" value="<?php echo $date_to ? $date_to : date_i18n( 'Y-m-d' ); ?>" size="10">
+						<input type="text" class="sp-datepicker-to" name="sp_date_to" value="<?php echo $date_to ? esc_attr( $date_to ) : date_i18n( 'Y-m-d' ); ?>" size="10">
 					</p>
 
 					<p class="sp-date-range-relative">
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-feeds.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-feeds.php
index 293209f2..5dd3aa40 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-feeds.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-feeds.php
@@ -42,10 +42,10 @@ class SP_Meta_Box_Calendar_Feeds {
 					?>
 					<p>
 						<strong><?php echo sp_array_value( $format, 'name' ); ?></strong>
-						<a class="sp-link" href="<?php echo $feed; ?>" target="_blank" title="<?php _e( 'Link', 'sportspress' ); ?>"></a>
+						<a class="sp-link" href="<?php echo esc_attr( $feed ); ?>" target="_blank" title="<?php _e( 'Link', 'sportspress' ); ?>"></a>
 					</p>
 					<p>
-						<input type="text" value="<?php echo $feed; ?>" readonly="readonly" class="code widefat">
+						<input type="text" value="<?php echo esc_attr( $feed ); ?>" readonly="readonly" class="code widefat">
 					</p>
 				<?php } ?>
 			<?php } ?>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-format.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-format.php
index ad94bcf7..38662710 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-format.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-calendar-format.php
@@ -24,7 +24,7 @@ class SP_Meta_Box_Calendar_Format {
 		?>
 		<div id="post-formats-select">
 			<?php foreach ( SP()->formats->calendar as $key => $format ): ?>
-				<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( true, ( $key == 'calendar' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $format; ?></label><br>
+				<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( true, ( $key == 'calendar' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></label><br>
 			<?php endforeach; ?>
 		</div>
 		<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-column-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-column-details.php
index efff610c..6e5e7c15 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-column-details.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-column-details.php
@@ -33,12 +33,12 @@ class SP_Meta_Box_Column_Details extends SP_Meta_Box_Config {
 		?>
 		<p><strong><?php _e( 'Key', 'sportspress' ); ?></strong></p>
 		<p>
-			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo $post->post_name; ?>">
-			<input name="sp_key" type="text" id="sp_key" value="<?php echo $post->post_name; ?>">
+			<input name="sp_default_key" type="hidden" id="sp_default_key" value="<?php echo esc_attr( $post->post_name ); ?>">
+			<input name="sp_key" type="text" id="sp_key" value="<?php echo esc_attr( $post->post_name ); ?>">
 		</p>
 		<p><strong><?php _e( 'Decimal Places', 'sportspress' ); ?></strong></p>
 		<p class="sp-precision-selector">
-			<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo $precision; ?>" placeholder="0">
+			<input name="sp_precision" type="text" size="4" id="sp_precision" value="<?php echo esc_attr( $precision ); ?>" placeholder="0">
 		</p>
 		<p><strong><?php _e( 'Sort Order', 'sportspress' ); ?></strong></p>
 		<p class="sp-order-selector">
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-equation.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-equation.php
index 87f99567..69f65134 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-equation.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-equation.php
@@ -58,7 +58,7 @@ class SP_Meta_Box_Equation {
 		endforeach;
 
 		// Add operators to options
-		$options[ 'Operators' ] = array( '+' => '&plus;', '-' => '&minus;', '*' => '&times;', '/' => '&divide;', '(' => '(', ')' => ')' );
+		$options[ 'Operators' ] = array( '+' => '&#43;', '-' => '&minus;', '*' => '&times;', '/' => '&divide;', '(' => '(', ')' => ')' );
 
 		// Create array of constants
 		$max = 10;
@@ -83,7 +83,7 @@ class SP_Meta_Box_Equation {
 							<th><?php _e( $label, 'sportspress' ); ?></th>
 							<td>
 								<?php foreach ( $option as $key => $value ): $parts[ $key ] = $value;
-									?><span class="button" data-variable="<?php echo $key; ?>"><?php echo $value; ?></span><?php
+									?><span class="button" data-variable="<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $value ); ?></span><?php
 								endforeach; ?>
 							</td>
 						</tr>
@@ -91,7 +91,7 @@ class SP_Meta_Box_Equation {
 				</table>
 			</div>
 			<div class="sp-equation">
-				<span class="sp-equation-variable"><?php echo $title; ?> = </span>
+				<span class="sp-equation-variable"><?php echo esc_attr( $title ); ?> = </span>
 				<span class="sp-equation-formula"><?php
 					$equation = trim( $equation );
 					if ( $equation !== '' ):
@@ -101,7 +101,7 @@ class SP_Meta_Box_Equation {
 								$name = $parts[ $part ];
 							} else {
 								$name = $part;
-							} ?><span class="button"><?php echo $name; ?><span class="remove">&times;</span><input type="hidden" name="sp_equation[]" value="<?php echo $part; ?>"></span><?php
+							} ?><span class="button"><?php echo esc_attr( $name ); ?><span class="remove">&times;</span><input type="hidden" name="sp_equation[]" value="<?php echo esc_attr( $part ); ?>"></span><?php
 						endforeach;
 					endif;
 				?></span>
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php
index 2221c8a1..4f7f25da 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php
@@ -24,7 +24,7 @@ class SP_Meta_Box_Event_Format {
 		?>
 		<div id="post-formats-select">
 			<?php foreach ( SP()->formats->event as $key => $format ): ?>
-				<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( true, ( $key == 'league' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $format; ?></label><br>
+				<input type="radio" name="sp_format" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( true, ( $key == 'league' && ! $the_format ) || $the_format == $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></label><br>
 			<?php endforeach; ?>
 		</div>
 		<?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php
index b1aedf1b..1c2370e9 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php
@@ -23,7 +23,7 @@ class SP_Meta_Box_Event_Mode {
     ?>
     <div id="post-formats-select">
       <?php foreach ( array( 'team' => __( 'Team vs team', 'sportspress' ), 'player' => __( 'Player vs player', 'sportspress' ) ) as $key => $mode ): ?>
-        <input type="radio" name="sp_mode" class="post-format" id="post-format-<?php echo $key; ?>" value="<?php echo $key; ?>" <?php checked( $the_mode, $key ); ?>> <label for="post-format-<?php echo $key; ?>" class="post-format-icon post-format-<?php echo $key; ?>"><?php echo $mode; ?></label><br>
+        <input type="radio" name="sp_mode" class="post-format" id="post-format-<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php checked( $the_mode, $key ); ?>> <label for="post-format-<?php echo esc_attr( $key ); ?>" class="post-format-icon post-format-<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $mode ); ?></label><br>
       <?php endforeach; ?>
     </div>
     <?php
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php
index bebad8fc..95ee1cbe 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php
@@ -42,7 +42,7 @@ class SP_Meta_Box_Event_Officials {
     if ( is_array( $duties ) && sizeof( $duties ) ) {
       foreach ( $duties as $duty ) {
         ?>
-      	<p><strong><?php echo $duty->name; ?></strong></p>
+      	<p><strong><?php echo esc_attr( $duty->name ); ?></strong></p>
         <p><?php
         $args = array(
           'post_type' => 'sp_official',
diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
index 1a6098d0..cc7f842d 100644
--- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
+++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php
@@ -233,7 +233,7 @@ class SP_Meta_Box_Event_Performance {
 						?>
 						<div>
 							<p>
-								<strong><?php echo get_the_title( $team_id ); ?> &mdash; <?php echo $section_label; ?></strong>
+								<strong><?php echo get_the_title( $team_id ); ?> &mdash; <?php echo esc_attr( $section_label ); ?></strong>
 								<a class="add-new-h2 sp-add-new-h2" href="<?php echo esc_url( admin_url( add_query_arg( array( 'import' => 'sp_event_performance_csv', 'event' => $post_id, 'team' => $team_id ), 'admin.php' ) ) ); ?>"><?php _e( 'Import', 'sportspress' ); ?></a>
 							</p>
 							<?php self::table( $labels[ $section_id ], $columns, $data[ $section_id ], $team_id, ( $has_checkboxes && 0 === $i ), $positions, $status, $section_id, $formats, $order, $numbers, $team_timeline, $timed, $stars ); ?>
@@ -322,12 +322,12 @@ class SP_Meta_Box_Event_Performance {
 							<?php if ( 0 == $i ): ?>
 								<input type="hidden" name="sp_columns[]" value="">
 							<?php endif; ?>
-							<label for="sp_columns_<?php echo $key; ?>">
-								<input type="checkbox" name="sp_columns[]" value="<?php echo $key; ?>" id="sp_columns_<?php echo $key; ?>" <?php checked( ! is_array( $columns ) || in_array( $key, $columns ) ); ?>>
-								<?php echo $label; ?>
+							<label for="sp_columns_<?php echo esc_attr( $key ); ?>">
+								<input type="checkbox" name="sp_columns[]" value="<?php echo esc_attr( $key ); ?>" id="sp_columns_<?php echo esc_attr( $key ); ?>" <?php checked( ! is_array( $columns ) || in_array( $key, $columns ) ); ?>>
+								<?php echo esc_attr( $label ); ?>
 							</label>
 						<?php else: ?>
-							<?php echo $label; ?>
+							<?php echo esc_attr( $label ); ?>
 						<?php endif; ?>
 					</th>
 				<?php $i++; endforeach; ?>
@@ -371,7 +371,7 @@ class SP_Meta_Box_Event_Performance {
 						$format = sp_array_value( $formats, $column, 'number' );
 						$placeholder = sp_get_format_placeholder( $format );
 						?>
-						<td><input type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" placeholder="<?php echo trim( $placeholder ); ?>" value="<?php echo esc_attr( $value ); ?>" data-sp-format="<?php echo $format; ?>" /></td>
+						<td><input type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" placeholder="<?php echo trim( $placeholder ); ?>" value="<?php echo esc_attr( $value ); ?>" data-sp-format="<?php echo esc_attr( $format ); ?>" /></td>
 					<?php endforeach; ?>
 					<?php if ( apply_filters( 'sportspress_event_performance_show_status', $status, $section ) ) { ?>
 						<td>&nbsp;</td>
@@ -394,19 +394,19 @@ class SP_Meta_Box_Event_Performance {
 		$stars_type = get_option( 'sportspress_event_performance_stars_type', 0 );
 		$value = sp_array_value( $player_performance, 'number', '' );
 		?>
-		<tr class="sp-row sp-post" data-player="<?php echo $player_id; ?>">
+		<tr class="sp-row sp-post" data-player="<?php echo esc_attr( $player_id ); ?>">
 			<?php if ( $sortable ) { ?>
 				<td class="icon"><span class="dashicons dashicons-menu post-state-format"></span></td>
 			<?php } ?>
 			<?php if ( apply_filters( 'sportspress_event_performance_show_numbers', $numbers, $section ) ) { ?>
 				<td>
-					<input class="small-text sp-player-number-input sp-sync-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][number]" value="<?php echo esc_attr( $value ); ?>" />
+					<input class="small-text sp-player-number-input sp-sync-input" type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][number]" value="<?php echo esc_attr( $value ); ?>" />
 				</td>
 			<?php } ?>
 			<td>
 				<?php echo apply_filters( 'sportspress_event_performance_player_selection', get_the_title( $player_id ), $player_id ); ?>
 				<?php if ( 1 == $section ) { ?>
-					<input type="hidden" name="sp_order[<?php echo $team_id; ?>][]" value="<?php echo $player_id; ?>">
+					<input type="hidden" name="sp_order[<?php echo esc_attr( $team_id ); ?>][]" value="<?php echo esc_attr( $player_id ); ?>">
 				<?php } ?>
 			</td>
 			<?php if ( $positions ) { ?>
@@ -462,13 +462,13 @@ class SP_Meta_Box_Event_Performance {
 							$timeval = preg_replace( '/^0/', '', $timeval );
 						?>
 
-						<input class="sp-player-<?php echo $column; ?>-input sp-convert-time-input sp-sync-input" type="text" name="sp_times[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $timeval ); ?>" placeholder="<?php echo $placeholder; ?>" />
-						<input class="sp-convert-time-output" type="hidden" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" />
+						<input class="sp-player-<?php echo esc_attr( $column ); ?>-input sp-convert-time-input sp-sync-input" type="text" name="sp_times[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $timeval ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
+						<input class="sp-convert-time-output" type="hidden" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $value ); ?>" />
 					<?php } elseif ( 'checkbox' === $format ) { ?>
-						<input type="hidden" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="0" />
-						<input class="sp-player-<?php echo $column; ?>-input sp-sync-input" type="checkbox" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="1" data-value="<?php echo $value; ?>" <?php checked( $value ); ?> />
+						<input type="hidden" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="0" />
+						<input class="sp-player-<?php echo esc_attr( $column ); ?>-input sp-sync-input" type="checkbox" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="1" data-value="<?php echo esc_attr( $value ); ?>" <?php checked( $value ); ?> />
 					<?php } else { ?>
-						<input class="sp-player-<?php echo $column; ?>-input sp-sync-input" type="text" name="sp_players[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo $placeholder; ?>" />
+						<input class="sp-player-<?php echo esc_attr( $column ); ?>-input sp-sync-input" type="text" name="sp_players[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>]" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php echo esc_attr( $placeholder ); ?>" />
 					<?php } ?>
 
 					<?php if ( $intval && in_array( $column, $timed ) ) { ?>
@@ -483,7 +483,7 @@ class SP_Meta_Box_Event_Performance {
 						if ( is_array( $times ) ) {
 							?>
 							<hr>
-							<?php for ( $i = 0; $i < $intval; $i++ ) { ?><input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo $team_id; ?>][<?php echo $player_id; ?>][<?php echo $column; ?>][<?php echo $i; ?>]" value="<?php echo esc_attr( sp_array_value( $times, $i, '' ) ); ?>" placeholder="-" /><?php } ?>
+							<?php for ( $i = 0; $i < $intval; $i++ ) { ?><input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][<?php echo esc_attr( $column ); ?>][<?php echo $i; ?>]" value="<?php echo esc_attr( sp_array_value( $times, $i, '' ) ); ?>" placeholder="-" /><?php } ?>
 							<span class="description"><?php _e( 'mins', 'sportspress' ); ?></span>
 							<?php
 						}
@@ -504,7 +504,7 @@ class SP_Meta_Box_Event_Performance {
 					<?php echo self::status_select( $team_id, $player_id, sp_array_value( $player_performance, 'status', null ) ); ?><br>
 					<?php echo self::sub_select( $team_id, $player_id, sp_array_value( $player_performance, 'sub', null ), $data ); ?><br>
 					<?php if ( is_array( $times ) ) { ?>
-						<input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo $team_id; ?>][<?php echo $player_id; ?>][sub][]" value="<?php echo esc_attr( sp_array_value( $times, 0, '' ) ); ?>" placeholder="-" />
+						<input class="sp-sync-input small-text" type="text" name="sp_timeline[<?php echo esc_attr( $team_id ); ?>][<?php echo esc_attr( $player_id ); ?>][sub][]" value="<?php echo esc_attr( sp_array_value( $times, 0, '' ) ); ?>" placeholder="-" />
 						<span class="description"><?php _e( 'mins', 'sportspress' ); ?></span>
 					<?php } ?>
 				</td>