From f07f42b5c928da792c55709faedae21755121ffc Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sat, 6 Nov 2021 19:03:26 +0900
Subject: [PATCH 1/4] Sanitize instead of escape inputs

---
 includes/admin/importers/class-sp-importer.php         | 2 +-
 includes/admin/post-types/class-sp-admin-cpt-event.php | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/includes/admin/importers/class-sp-importer.php b/includes/admin/importers/class-sp-importer.php
index 9c2568ce..78c91b96 100644
--- a/includes/admin/importers/class-sp-importer.php
+++ b/includes/admin/importers/class-sp-importer.php
@@ -231,7 +231,7 @@ if ( class_exists( 'WP_Importer' ) ) {
 
 				if ( file_exists( ABSPATH . $_POST['file_url'] ) ) {
 
-					$this->file_url = esc_attr( $_POST['file_url'] );
+					$this->file_url = sanitize_url( $_POST['file_url'] );
 
 				} else {
 
diff --git a/includes/admin/post-types/class-sp-admin-cpt-event.php b/includes/admin/post-types/class-sp-admin-cpt-event.php
index 02236359..cd33a221 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-event.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-event.php
@@ -262,7 +262,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_event' )
 	    	return;
 
-		$selected = isset( $_REQUEST['team'] ) ? esc_attr( $_REQUEST['team'] ) : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -272,7 +272,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 		);
 		wp_dropdown_pages( $args );
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? esc_attr( $_REQUEST['sp_league'] ) : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -281,7 +281,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? esc_attr( $_REQUEST['sp_season'] ) : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
@@ -290,7 +290,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['match_day'] ) ? esc_attr( $_REQUEST['match_day'] ) : null;
+		$selected = isset( $_REQUEST['match_day'] ) ? sanitize_text_field( $_REQUEST['match_day'] ) : null;
 		echo '<input name="match_day" type="text" class="sp-tablenav-input" placeholder="' . __( 'Match Day', 'sportspress' ) . '" value="' . $selected . '">';
 
 		if ( current_user_can( 'edit_others_sp_events' ) )

From 8be366b70d6c4f6859eff63fcf1d095b4f65b551 Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sat, 6 Nov 2021 19:08:25 +0900
Subject: [PATCH 2/4] Escape output in template functions

---
 includes/sp-template-functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/sp-template-functions.php b/includes/sp-template-functions.php
index 66c84c0b..15b50ae7 100644
--- a/includes/sp-template-functions.php
+++ b/includes/sp-template-functions.php
@@ -86,7 +86,7 @@ if ( ! function_exists( 'sportspress_taxonomy_archive_description' ) ) {
 		if ( is_tax( array( 'sp_season', 'sp_league', 'sp_venue', 'sp_position' ) ) && get_query_var( 'paged' ) == 0 ) {
 			$description = apply_filters( 'the_content', term_description() );
 			if ( $description ) {
-				echo '<div class="term-description">' . $description . '</div>';
+				echo '<div class="term-description">' . esc_html( $description ) . '</div>';
 			}
 		}
 	}

From b8d79e040dcab1b02b7fde7e85a916fd726a8339 Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sat, 6 Nov 2021 19:08:36 +0900
Subject: [PATCH 3/4] Escape output in admin ajax

---
 includes/class-sp-ajax.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/includes/class-sp-ajax.php b/includes/class-sp-ajax.php
index 1abf0592..5edf9f02 100644
--- a/includes/class-sp-ajax.php
+++ b/includes/class-sp-ajax.php
@@ -554,7 +554,7 @@ class SP_AJAX {
 						<option value="default">Default</option>
 						<option value="all">All</option>
 						<?php foreach ( SP()->formats->event as $key => $format ): ?>
-							<option value="<?php echo $key; ?>"><?php echo $format; ?></option>
+							<option value="<?php echo esc_attr( $key ); ?>"><?php echo esc_html( $format ); ?></option>
 						<?php endforeach; ?>
 					</select>
 				</label>
@@ -634,7 +634,7 @@ class SP_AJAX {
 				$field_id = 'columns';
 				?>
 				<?php foreach ( $the_columns as $key => $label ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $key; ?>" value="<?php echo $key; ?>" checked="checked"><?php echo $label; ?></label>
+					<label class="button"><input name="<?php echo esc_attr( $field_name ); ?>" type="checkbox" id="<?php echo esc_attr( $field_id ) . '-' . esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" checked="checked"><?php echo esc_html( $label ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
@@ -761,7 +761,7 @@ class SP_AJAX {
 					<option value="default">Default</option>
 					<option value="all">All</option>
 					<?php foreach ( SP()->formats->event as $key => $format ): ?>
-					<option value="<?php echo $key; ?>"><?php echo $format; ?></option>
+					<option value="<?php echo esc_attr( $key ); ?>"><?php echo esc_html( $format ); ?></option>
 					<?php endforeach; ?>
 					</select>
 				</label>
@@ -898,7 +898,7 @@ class SP_AJAX {
 				$field_id = 'columns';
 				?>
 				<?php foreach ( $the_columns as $column ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $column->post_name; ?>" value="<?php echo $column->post_name; ?>" checked="checked"><?php echo $column->post_title; ?></label>
+					<label class="button"><input name="<?php echo esc_attr) $field_name ); ?>" type="checkbox" id="<?php echo esc_attr( $field_id ) . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
@@ -1152,7 +1152,7 @@ class SP_AJAX {
 				<label class="button"><input name="columns[]" type="checkbox" id="columns-team" value="team" checked="checked"><?php _e( 'Team', 'sportspress' ); ?></label>
 				<label class="button"><input name="columns[]" type="checkbox" id="columns-position" value="position" checked="checked"><?php _e( 'Position', 'sportspress' ); ?></label>
 				<?php foreach ( $the_columns as $column ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $column->post_name; ?>" value="<?php echo $column->post_name; ?>" checked="checked"><?php echo $column->post_title; ?></label>
+					<label class="button"><input name="<?php echo esc_attr( $field_name ); ?>" type="checkbox" id="<?php echo esc_attr( $field_id ) . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>

From c87764cc023eb24ebdeb2207d91b74ac578e0bb8 Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sat, 6 Nov 2021 19:14:57 +0900
Subject: [PATCH 4/4] Escape outputs on modules admin page

---
 includes/admin/settings/class-sp-settings-modules.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/admin/settings/class-sp-settings-modules.php b/includes/admin/settings/class-sp-settings-modules.php
index 6f76ccdc..7725c669 100644
--- a/includes/admin/settings/class-sp-settings-modules.php
+++ b/includes/admin/settings/class-sp-settings-modules.php
@@ -222,8 +222,8 @@ class SP_Settings_Modules extends SP_Settings_Page {
 							<tr class="sp-module-unavailable"><td>
 								<input type="checkbox" disabled="disabled">
 								<span class="sp-desc-tip" title="<?php echo sp_array_value( $module, 'tip', __( 'Upgrade to Pro', 'sportspress' ) ); ?>">
-									<i class="<?php echo sp_array_value( $module, 'icon', 'dashicons dashicons-admin-generic' ); ?>"></i>
-									<?php echo sp_array_value( $module, 'label', $id ); ?>
+									<i class="<?php echo esc_attr( sp_array_value( $module, 'icon', 'dashicons dashicons-admin-generic' ) ); ?>"></i>
+									<?php echo esc_html( sp_array_value( $module, 'label', $id ) ); ?>
 								</span>
 								<?php if ( isset( $module['desc'] ) ) { ?>
 									<span class="sp-desc">