From a605d7ed1a54a94324865b9c99e4aef469482e72 Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sun, 14 Nov 2021 13:49:51 +0900
Subject: [PATCH] Sanitize and unslash all inputs

---
 includes/admin/class-sp-admin-ajax.php        |  4 ++--
 .../class-sp-admin-permalink-settings.php     |  2 +-
 includes/admin/class-sp-admin-settings.php    | 16 +++++++--------
 .../admin/class-sp-admin-setup-wizard.php     | 20 +++++++++----------
 includes/admin/class-sp-admin-taxonomies.php  |  4 ++--
 includes/admin/class-sp-admin-welcome.php     | 10 +++++-----
 includes/admin/class-sp-admin.php             |  2 +-
 .../importers/class-sp-event-importer.php     |  8 ++++----
 .../class-sp-event-performance-importer.php   |  8 ++++----
 .../importers/class-sp-fixture-importer.php   |  8 ++++----
 .../admin/importers/class-sp-importer.php     | 10 +++++-----
 .../importers/class-sp-player-importer.php    |  2 +-
 .../post-types/class-sp-admin-cpt-event.php   |  6 +++---
 .../post-types/class-sp-admin-cpt-player.php  |  8 ++++----
 .../admin/post-types/class-sp-admin-cpt.php   |  4 ++--
 .../post-types/class-sp-admin-meta-boxes.php  |  2 +-
 .../settings/class-sp-settings-events.php     |  2 +-
 .../settings/class-sp-settings-general.php    | 18 ++++++++---------
 .../settings/class-sp-settings-licenses.php   |  4 ++--
 .../admin/settings/class-sp-settings-page.php |  2 +-
 .../settings/class-sp-settings-status.php     |  2 +-
 .../admin/settings/class-sp-settings-text.php |  2 +-
 .../admin/views/html-admin-page-status.php    |  2 +-
 includes/sp-core-functions.php                |  2 +-
 includes/sp-template-hooks.php                |  8 ++++----
 .../sportspress-comments-scheduled-events.php | 10 +++++-----
 modules/sportspress-overview.php              |  4 ++--
 modules/sportspress-tutorials.php             |  2 +-
 modules/sportspress-user-registration.php     | 18 ++++++++---------
 templates/event-calendar.php                  |  6 +++---
 30 files changed, 98 insertions(+), 98 deletions(-)

diff --git a/includes/admin/class-sp-admin-ajax.php b/includes/admin/class-sp-admin-ajax.php
index bfbc9fa4..d5f0a002 100644
--- a/includes/admin/class-sp-admin-ajax.php
+++ b/includes/admin/class-sp-admin-ajax.php
@@ -31,7 +31,7 @@ class SP_Admin_AJAX {
 	function save_primary_result() {
 		check_ajax_referer( 'sp-save-primary-result', 'nonce' );
 
-		$primary_result = sanitize_key( $_POST['primary_result'] );
+		$primary_result = sanitize_key( $_POST['primary_result'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 
 		update_option( 'sportspress_primary_result', $primary_result );
 		wp_send_json_success();
@@ -45,7 +45,7 @@ class SP_Admin_AJAX {
 	function save_primary_performance() {
 		check_ajax_referer( 'sp-save-primary-performance', 'nonce' );
 
-		$primary_performance = sanitize_key( $_POST['primary_performance'] );
+		$primary_performance = sanitize_key( $_POST['primary_performance'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 
 		update_option( 'sportspress_primary_performance', $primary_performance );
 		wp_send_json_success();
diff --git a/includes/admin/class-sp-admin-permalink-settings.php b/includes/admin/class-sp-admin-permalink-settings.php
index c8d88746..3a11e27b 100644
--- a/includes/admin/class-sp-admin-permalink-settings.php
+++ b/includes/admin/class-sp-admin-permalink-settings.php
@@ -94,7 +94,7 @@ if ( ! class_exists( 'SP_Admin_Permalink_Settings' ) ) :
 					$key   = 'sportspress_' . $slug[0] . '_slug';
 					$value = null;
 					if ( isset( $_POST[ $key ] ) ) {
-						$value = sanitize_text_field( $_POST[ $key ] );
+						$value = sanitize_text_field( wp_unslash( $_POST[ $key ] ) );
 					}
 					if ( empty( $value ) ) {
 						delete_option( $key );
diff --git a/includes/admin/class-sp-admin-settings.php b/includes/admin/class-sp-admin-settings.php
index ce727536..1c522638 100644
--- a/includes/admin/class-sp-admin-settings.php
+++ b/includes/admin/class-sp-admin-settings.php
@@ -65,7 +65,7 @@ if ( ! class_exists( 'SP_Admin_Settings' ) ) :
 		public static function save() {
 			global $current_section, $current_tab;
 
-			if ( empty( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'sportspress-settings' ) ) {
+			if ( empty( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_key( $_REQUEST['_wpnonce'] ), 'sportspress-settings' ) ) {
 				die( esc_html__( 'Action failed. Please refresh the page and retry.', 'sportspress' ) );
 			}
 
@@ -152,8 +152,8 @@ if ( ! class_exists( 'SP_Admin_Settings' ) ) :
 			self::get_settings_pages();
 
 			// Get current tab/section
-			$current_tab     = empty( $_GET['tab'] ) ? 'modules' : sanitize_title( $_GET['tab'] );
-			$current_section = empty( $_REQUEST['section'] ) ? '' : sanitize_title( $_REQUEST['section'] );
+			$current_tab     = empty( $_GET['tab'] ) ? 'modules' : sanitize_title( wp_unslash( $_GET['tab'] ) );
+			$current_section = empty( $_REQUEST['section'] ) ? '' : sanitize_title( wp_unslash( $_REQUEST['section'] ) );
 
 			// Save settings if data has been posted
 			if ( ! empty( $_POST ) ) {
@@ -162,11 +162,11 @@ if ( ! class_exists( 'SP_Admin_Settings' ) ) :
 
 			// Add any posted messages
 			if ( ! empty( $_GET['sp_error'] ) ) {
-				self::add_error( stripslashes( $_GET['sp_error'] ) );
+				self::add_error( stripslashes( sanitize_text_field( wp_unslash( $_GET['sp_error'] ) ) ) );
 			}
 
 			if ( ! empty( $_GET['sp_message'] ) ) {
-				self::add_message( stripslashes( $_GET['sp_message'] ) );
+				self::add_message( stripslashes( sanitize_text_field( wp_unslash( $_GET['sp_message'] ) ) ) );
 			}
 
 			self::show_messages();
@@ -737,7 +737,7 @@ if ( ! class_exists( 'SP_Admin_Settings' ) ) :
 
 					case 'textarea':
 						if ( isset( $_POST[ $value['id'] ] ) ) {
-							$option_value = wp_kses_post( trim( stripslashes( $_POST[ $value['id'] ] ) ) );
+							$option_value = wp_kses_post( trim( stripslashes( sanitize_text_field( wp_unslash( $_POST[ $value['id'] ] ) ) ) ) );
 						} else {
 							$option_value = '';
 						}
@@ -754,7 +754,7 @@ if ( ! class_exists( 'SP_Admin_Settings' ) ) :
 					case 'password':
 					case 'radio':
 						if ( isset( $_POST[ $value['id'] ] ) ) {
-							$option_value = sanitize_text_field( stripslashes( $_POST[ $value['id'] ] ) );
+							$option_value = sanitize_text_field( wp_unslash( $_POST[ $value['id'] ] ) );
 						} else {
 							$option_value = '';
 						}
@@ -766,7 +766,7 @@ if ( ! class_exists( 'SP_Admin_Settings' ) ) :
 					case 'multi_select_countries':
 						// Get countries array
 						if ( isset( $_POST[ $value['id'] ] ) ) {
-							$selected_countries = array_map( 'sanitize_text_field', array_map( 'stripslashes', (array) $_POST[ $value['id'] ] ) );
+							$selected_countries = array_map( 'sanitize_text_field', array_map( 'wp_unslash', (array) $_POST[ $value['id'] ] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 						} else {
 							$selected_countries = array();
 						}
diff --git a/includes/admin/class-sp-admin-setup-wizard.php b/includes/admin/class-sp-admin-setup-wizard.php
index 458e5f28..8c07dffe 100644
--- a/includes/admin/class-sp-admin-setup-wizard.php
+++ b/includes/admin/class-sp-admin-setup-wizard.php
@@ -314,7 +314,7 @@ class SP_Admin_Setup_Wizard {
 		check_admin_referer( 'sp-setup' );
 
 		// Update timezone
-		$timezone_string = sanitize_text_field( $_POST['timezone_string'] );
+		$timezone_string = sanitize_text_field( wp_unslash( $_POST['timezone_string'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		if ( ! empty( $timezone_string ) && preg_match( '/^UTC[+-]/', $timezone_string ) ) {
 			$gmt_offset      = $timezone_string;
 			$gmt_offset      = preg_replace( '/UTC\+?/', '', $gmt_offset );
@@ -330,14 +330,14 @@ class SP_Admin_Setup_Wizard {
 		}
 
 		// Update sport
-		$sport = sanitize_text_field( $_POST['sport'] );
+		$sport = sanitize_text_field( wp_unslash( $_POST['sport'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		if ( ! empty( $sport ) && get_option( 'sportspress_sport', null ) !== $sport ) {
 			SP_Admin_Sports::apply_preset( $sport );
 		}
 		update_option( 'sportspress_sport', $sport );
 
 		// Insert league
-		$league = sanitize_text_field( $_POST['league'] );
+		$league = sanitize_text_field( wp_unslash( $_POST['league'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		if ( ! is_string( $league ) || empty( $league ) ) {
 			$league = _x( 'Primary League', 'example', 'sportspress' );
 		}
@@ -347,7 +347,7 @@ class SP_Admin_Setup_Wizard {
 		}
 
 		// Insert season
-		$season = sanitize_text_field( $_POST['season'] );
+		$season = sanitize_text_field( wp_unslash( $_POST['season'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		if ( ! is_string( $season ) || empty( $season ) ) {
 			$season = date( 'Y' );
 		}
@@ -401,7 +401,7 @@ class SP_Admin_Setup_Wizard {
 		check_admin_referer( 'sp-setup' );
 
 		// Add away team
-		$post['post_title']  = sanitize_text_field( $_POST['away_team'] );
+		$post['post_title']  = sanitize_text_field( wp_unslash( $_POST['away_team'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		$post['post_type']   = 'sp_team';
 		$post['post_status'] = 'publish';
 		$post['tax_input']   = array();
@@ -418,7 +418,7 @@ class SP_Admin_Setup_Wizard {
 		wp_insert_post( $post );
 
 		// Add home team
-		$post['post_title'] = sanitize_text_field( $_POST['home_team'] );
+		$post['post_title'] = sanitize_text_field( wp_unslash( $_POST['home_team'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		wp_insert_post( $post );
 
 		wp_redirect( esc_url_raw( $this->get_next_step_link() ) );
@@ -506,8 +506,8 @@ class SP_Admin_Setup_Wizard {
 				)
 			);
 		}
-		if ( is_array( $_POST['players'] ) ) {
-			foreach ( $_POST['players'] as $i => $player ) {
+		if ( is_array( $_POST['players'] ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+			foreach ( $_POST['players'] as $i => $player ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 				if ( empty( $player['name'] ) ) {
 					continue;
 				}
@@ -534,7 +534,7 @@ class SP_Admin_Setup_Wizard {
 		if ( ! empty( $_POST['staff'] ) ) {
 
 			$post['post_type']  = 'sp_staff';
-			$post['post_title'] = sanitize_text_field( $_POST['staff'] );
+			$post['post_title'] = sanitize_text_field( wp_unslash( $_POST['staff'] ) );
 			$id                 = wp_insert_post( $post );
 
 			// Add role
@@ -606,7 +606,7 @@ class SP_Admin_Setup_Wizard {
 		$team  = reset( $teams );
 
 		// Insert venue
-		$venue = sanitize_text_field( $_POST['venue'] );
+		$venue = sanitize_text_field( wp_unslash( $_POST['venue'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		if ( ! is_string( $venue ) || empty( $venue ) ) {
 			$venue = sp_array_value( $_POST, 'address', esc_attr__( 'Venue', 'sportspress' ) );
 		}
diff --git a/includes/admin/class-sp-admin-taxonomies.php b/includes/admin/class-sp-admin-taxonomies.php
index 81513a2d..6284dedc 100644
--- a/includes/admin/class-sp-admin-taxonomies.php
+++ b/includes/admin/class-sp-admin-taxonomies.php
@@ -267,10 +267,10 @@ class SP_Admin_Taxonomies {
 		if ( isset( $_POST['term_meta'] ) ) {
 			$t_id      = $term_id;
 			$term_meta = get_option( "taxonomy_$t_id" );
-			$cat_keys  = array_keys( $_POST['term_meta'] );
+			$cat_keys  = array_keys( wp_unslash( $_POST['term_meta'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			foreach ( $cat_keys as $key ) {
 				if ( isset( $_POST['term_meta'][ $key ] ) ) {
-					$term_meta[ $key ] = sanitize_text_field( $_POST['term_meta'][ $key ] );
+					$term_meta[ $key ] = sanitize_text_field( wp_unslash( $_POST['term_meta'][ $key ] ) );
 				}
 			}
 			update_option( "taxonomy_$t_id", $term_meta );
diff --git a/includes/admin/class-sp-admin-welcome.php b/includes/admin/class-sp-admin-welcome.php
index 74cc64e4..20d62a06 100644
--- a/includes/admin/class-sp-admin-welcome.php
+++ b/includes/admin/class-sp-admin-welcome.php
@@ -146,14 +146,14 @@ class SP_Admin_Welcome {
 	<h2 class="nav-tab-wrapper">
 	  <a class="nav-tab 
 		<?php
-		if ( $_GET['page'] == 'sp-about' ) {
+		if ( sanitize_key( $_GET['page'] ) == 'sp-about' ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			echo 'nav-tab-active';}
 		?>
 		" href="<?php echo esc_url( admin_url( add_query_arg( array( 'page' => 'sp-about' ), 'index.php' ) ) ); ?>">
 		<?php esc_html_e( 'Welcome', 'sportspress' ); ?>
 	  </a><a class="nav-tab 
 		<?php
-		if ( $_GET['page'] == 'sp-credits' ) {
+		if ( sanitize_key( $_GET['page'] ) == 'sp-credits' ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			echo 'nav-tab-active';}
 		?>
 		" href="<?php echo esc_url( admin_url( add_query_arg( array( 'page' => 'sp-credits' ), 'index.php' ) ) ); ?>">
@@ -177,11 +177,11 @@ class SP_Admin_Welcome {
 		<?php
 		// Save settings
 		if ( isset( $_POST['timezone_string'] ) ) :
-			update_option( 'timezone_string', sanitize_text_field( $_POST['timezone_string'] ) );
+			update_option( 'timezone_string', sanitize_text_field( wp_unslash( $_POST['timezone_string'] ) ) );
 			update_option( 'sportspress_basic_setup', 1 );
 		  endif;
 		if ( isset( $_POST['sportspress_sport'] ) && ! empty( $_POST['sportspress_sport'] ) ) :
-			$sport = sanitize_text_field( $_POST['sportspress_sport'] );
+			$sport = sanitize_text_field( wp_unslash( $_POST['sportspress_sport'] ) );
 			SP_Admin_Sports::apply_preset( $sport );
 			update_option( 'sportspress_sport', $sport );
 			delete_option( '_sp_needs_welcome' );
@@ -439,7 +439,7 @@ class SP_Admin_Welcome {
 			return;
 		}
 
-		if ( ( isset( $_GET['action'] ) && 'upgrade-plugin' == $_GET['action'] ) && ( isset( $_GET['plugin'] ) && strstr( $_GET['plugin'], 'sportspress.php' ) ) ) {
+		if ( ( isset( $_GET['action'] ) && 'upgrade-plugin' == sanitize_key( $_GET['action'] ) ) && ( isset( $_GET['plugin'] ) && strstr( $_GET['plugin'], 'sportspress.php' ) ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			return;
 		}
 
diff --git a/includes/admin/class-sp-admin.php b/includes/admin/class-sp-admin.php
index f9cb650b..4f723e8d 100644
--- a/includes/admin/class-sp-admin.php
+++ b/includes/admin/class-sp-admin.php
@@ -85,7 +85,7 @@ class SP_Admin {
 	public function prevent_admin_access() {
 		$prevent_access = false;
 
-		if ( 'yes' == get_option( 'sportspress_lock_down_admin' ) && ! is_ajax() && ! ( current_user_can( 'edit_posts' ) || current_user_can( 'manage_sportspress' ) ) && basename( $_SERVER['SCRIPT_FILENAME'] ) !== 'admin-post.php' ) {
+		if ( 'yes' == get_option( 'sportspress_lock_down_admin' ) && ! is_ajax() && ! ( current_user_can( 'edit_posts' ) || current_user_can( 'manage_sportspress' ) ) && basename( $_SERVER['SCRIPT_FILENAME'] ) !== 'admin-post.php' ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			$prevent_access = true;
 		}
 
diff --git a/includes/admin/importers/class-sp-event-importer.php b/includes/admin/importers/class-sp-event-importer.php
index 3dd22894..8c708c34 100644
--- a/includes/admin/importers/class-sp-event-importer.php
+++ b/includes/admin/importers/class-sp-event-importer.php
@@ -58,10 +58,10 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 
 			// Get event format, league, and season from post vars
-			$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_text_field( $_POST['sp_format'] ) );
-			$league       = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_league'] ) );
-			$season       = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_season'] ) );
-			$date_format  = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
+			$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_key( $_POST['sp_format'] ) );
+			$league       = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_league'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+			$season       = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_season'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+			$date_format  = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( wp_unslash( $_POST['sp_date_format'] ) ) );
 
 			// Get labels from result and performance post types
 			$result_labels      = sp_get_var_labels( 'sp_result' );
diff --git a/includes/admin/importers/class-sp-event-performance-importer.php b/includes/admin/importers/class-sp-event-performance-importer.php
index 6faa1e0f..726f205a 100644
--- a/includes/admin/importers/class-sp-event-performance-importer.php
+++ b/includes/admin/importers/class-sp-event-performance-importer.php
@@ -52,10 +52,10 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 
 			// Get event ID and team ID from post vars
-			$event = ( empty( $_POST['sp_event'] ) ? false : sanitize_text_field( $_POST['sp_event'] ) );
-			$teams = ( empty( $_POST['sp_teams'] ) ? false : sanitize_text_field( $_POST['sp_teams'] ) );
-			$index = ( empty( $_POST['sp_index'] ) ? false : sanitize_text_field( $_POST['sp_index'] ) );
-			$team  = ( empty( $_POST['sp_team'] ) ? false : sanitize_text_field( $_POST['sp_team'] ) );
+			$event = ( empty( $_POST['sp_event'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_event'] ) ) );
+			$teams = ( empty( $_POST['sp_teams'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_teams'] ) ) );
+			$index = ( empty( $_POST['sp_index'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_index'] ) ) );
+			$team  = ( empty( $_POST['sp_team'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_team'] ) ) );
 
 			$team_players     = array( 0 );
 			$team_performance = array();
diff --git a/includes/admin/importers/class-sp-fixture-importer.php b/includes/admin/importers/class-sp-fixture-importer.php
index c59d5e48..2b52e1cf 100644
--- a/includes/admin/importers/class-sp-fixture-importer.php
+++ b/includes/admin/importers/class-sp-fixture-importer.php
@@ -54,10 +54,10 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 
 			// Get event format, league, and season from post vars
-			$event_format = ( empty( $_POST['sp_format'] ) ? false : $_POST['sp_format'] );
-			$league       = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : $_POST['sp_league'] );
-			$season       = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : $_POST['sp_season'] );
-			$date_format  = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : $_POST['sp_date_format'] );
+			$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_key( $_POST['sp_format'] ) );
+			$league       = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_league'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+			$season       = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_season'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+			$date_format  = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( wp_unslash( $_POST['sp_date_format'] ) ) );
 
 			foreach ( $rows as $row ) :
 
diff --git a/includes/admin/importers/class-sp-importer.php b/includes/admin/importers/class-sp-importer.php
index afdcc9dd..f490148b 100644
--- a/includes/admin/importers/class-sp-importer.php
+++ b/includes/admin/importers/class-sp-importer.php
@@ -49,7 +49,7 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$this->header();
 
 			if ( ! empty( $_POST['delimiter'] ) ) {
-				$this->delimiter = stripslashes( trim( sanitize_text_field( $_POST['delimiter'] ) ) );
+				$this->delimiter = stripslashes( trim( sanitize_text_field( wp_unslash( $_POST['delimiter'] ) ) ) );
 			}
 
 			if ( ! $this->delimiter ) {
@@ -87,8 +87,8 @@ if ( class_exists( 'WP_Importer' ) ) {
 				case 2:
 					check_admin_referer( 'import-upload' );
 					if ( isset( $_POST['sp_import'] ) ) :
-						$columns = array_filter( sp_array_value( $_POST, 'sp_columns', array( 'post_title' ) ) );
-						$this->import( $_POST['sp_import'], array_values( $columns ) );
+						$columns = array_filter( array_map( 'sanitize_key', array_map( 'wp_unslash', sp_array_value( $_POST, 'sp_columns', array( 'post_title' ) ) ) ) );
+						$this->import( $_POST['sp_import'], array_values( $columns ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 					endif;
 					break;
 			endswitch;
@@ -249,9 +249,9 @@ endwhile;
 
 			} else {
 
-				if ( file_exists( ABSPATH . $_POST['file_url'] ) ) {
+				if ( file_exists( ABSPATH . sanitize_url( wp_unslash( $_POST['file_url'] ) ) ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 
-					$this->file_url = sanitize_url( $_POST['file_url'] );
+					$this->file_url = sanitize_url( wp_unslash( $_POST['file_url'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 
 				} else {
 
diff --git a/includes/admin/importers/class-sp-player-importer.php b/includes/admin/importers/class-sp-player-importer.php
index 4944d2aa..4a2790bd 100644
--- a/includes/admin/importers/class-sp-player-importer.php
+++ b/includes/admin/importers/class-sp-player-importer.php
@@ -56,7 +56,7 @@ if ( class_exists( 'WP_Importer' ) ) {
 			$rows = array_chunk( $array, sizeof( $columns ) );
 
 			// Get Date of Birth format from post vars
-			$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
+			$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( wp_unslash( $_POST['sp_date_format'] ) ) );
 
 			foreach ( $rows as $row ) :
 
diff --git a/includes/admin/post-types/class-sp-admin-cpt-event.php b/includes/admin/post-types/class-sp-admin-cpt-event.php
index e03797a0..59d00530 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-event.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-event.php
@@ -311,7 +311,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 			);
 			sp_dropdown_taxonomies( $args );
 
-			$selected = isset( $_REQUEST['match_day'] ) ? sanitize_text_field( $_REQUEST['match_day'] ) : null;
+			$selected = isset( $_REQUEST['match_day'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['match_day'] ) ) : null;
 			echo '<input name="match_day" type="text" class="sp-tablenav-input" placeholder="' . esc_attr__( 'Match Day', 'sportspress' ) . '" value="' . esc_attr( $selected ) . '">';
 
 			if ( current_user_can( 'edit_others_sp_events' ) ) {
@@ -336,14 +336,14 @@ if ( ! class_exists( 'SP_Admin_CPT_Event' ) ) :
 				if ( ! empty( $_GET['team'] ) ) {
 					$query->query_vars['meta_query'][] = array(
 						'key'   => 'sp_team',
-						'value' => $_GET['team'],
+						'value' => sanitize_key( $_GET['team'] ),
 					);
 				}
 
 				if ( ! empty( $_GET['match_day'] ) ) {
 					$query->query_vars['meta_query'][] = array(
 						'key'   => 'sp_day',
-						'value' => $_GET['match_day'],
+						'value' => sanitize_text_field( wp_unslash( $_GET['match_day'] ) ),
 					);
 				}
 			}
diff --git a/includes/admin/post-types/class-sp-admin-cpt-player.php b/includes/admin/post-types/class-sp-admin-cpt-player.php
index e0cbecb0..29879a9a 100755
--- a/includes/admin/post-types/class-sp-admin-cpt-player.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-player.php
@@ -313,7 +313,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 			}
 
 			$_POST += array( "{$this->type}_edit_nonce" => '' );
-			if ( ! wp_verify_nonce( $_POST[ "{$this->type}_edit_nonce" ], plugin_basename( __FILE__ ) ) ) {
+			if ( ! isset( $_POST[ "{$this->type}_edit_nonce" ] ) || ! wp_verify_nonce( sanitize_key( $_POST[ "{$this->type}_edit_nonce" ] ), plugin_basename( __FILE__ ) ) ) {
 				return $post_id;
 			}
 
@@ -325,7 +325,7 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 			}
 
 			if ( isset( $_POST['sp_number'] ) ) {
-				update_post_meta( $post_id, 'sp_number', $_POST['sp_number'] );
+				update_post_meta( $post_id, 'sp_number', sanitize_text_field( wp_unslash( $_POST['sp_number'] ) ) );
 			}
 
 			sp_update_post_meta_recursive( $post_id, 'sp_current_team', sp_array_value( $_POST, 'sp_current_team', array() ) );
@@ -391,11 +391,11 @@ if ( ! class_exists( 'SP_Admin_CPT_Player' ) ) :
 		 */
 		public function bulk_save() {
 			$_POST += array( 'nonce' => '' );
-			if ( ! wp_verify_nonce( $_POST['nonce'], plugin_basename( __FILE__ ) ) ) {
+			if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), plugin_basename( __FILE__ ) ) ) {
 				return;
 			}
 
-			$post_ids = ( ! empty( $_POST['post_ids'] ) ) ? $_POST['post_ids'] : array();
+			$post_ids = ( ! empty( $_POST['post_ids'] ) ) ? $_POST['post_ids'] : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 
 			$current_teams = sp_array_value( $_POST, 'current_teams', array() );
 			$past_teams    = sp_array_value( $_POST, 'past_teams', array() );
diff --git a/includes/admin/post-types/class-sp-admin-cpt.php b/includes/admin/post-types/class-sp-admin-cpt.php
index 75a63bdc..6541f080 100644
--- a/includes/admin/post-types/class-sp-admin-cpt.php
+++ b/includes/admin/post-types/class-sp-admin-cpt.php
@@ -58,10 +58,10 @@ if ( ! class_exists( 'SP_Admin_CPT' ) ) :
 			if ( ! empty( $_GET['post_type'] ) && $this->type == $_GET['post_type'] ) {
 				return true;
 			}
-			if ( ! empty( $_GET['post'] ) && $this->type == get_post_type( $_GET['post'] ) ) {
+			if ( ! empty( $_GET['post'] ) && $this->type == get_post_type( sanitize_key( $_GET['post'] ) ) ) {
 				return true;
 			}
-			if ( ! empty( $_REQUEST['post_id'] ) && $this->type == get_post_type( $_REQUEST['post_id'] ) ) {
+			if ( ! empty( $_REQUEST['post_id'] ) && $this->type == get_post_type( sanitize_key( $_REQUEST['post_id'] ) ) ) {
 				return true;
 			}
 			return false;
diff --git a/includes/admin/post-types/class-sp-admin-meta-boxes.php b/includes/admin/post-types/class-sp-admin-meta-boxes.php
index f94fe61b..456b7998 100644
--- a/includes/admin/post-types/class-sp-admin-meta-boxes.php
+++ b/includes/admin/post-types/class-sp-admin-meta-boxes.php
@@ -329,7 +329,7 @@ class SP_Admin_Meta_Boxes {
 		if ( is_int( wp_is_post_autosave( $post ) ) ) {
 			return;
 		}
-		if ( empty( $_POST['sportspress_meta_nonce'] ) || ! wp_verify_nonce( $_POST['sportspress_meta_nonce'], 'sportspress_save_data' ) ) {
+		if ( empty( $_POST['sportspress_meta_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['sportspress_meta_nonce'] ), 'sportspress_save_data' ) ) {
 			return;
 		}
 		if ( ! apply_filters( 'sportspress_user_can', current_user_can( 'edit_post', $post_id ), $post_id ) ) {
diff --git a/includes/admin/settings/class-sp-settings-events.php b/includes/admin/settings/class-sp-settings-events.php
index a6ff9329..93958b9f 100644
--- a/includes/admin/settings/class-sp-settings-events.php
+++ b/includes/admin/settings/class-sp-settings-events.php
@@ -520,7 +520,7 @@ if ( ! class_exists( 'SP_Settings_Events' ) ) :
 			parent::save();
 
 			if ( isset( $_POST['sportspress_event_teams_delimiter'] ) ) {
-				update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
+				update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( wp_unslash( $_POST['sportspress_event_teams_delimiter'] ) ) );
 			}
 		}
 
diff --git a/includes/admin/settings/class-sp-settings-general.php b/includes/admin/settings/class-sp-settings-general.php
index 5127dfb3..d1c2c3a6 100644
--- a/includes/admin/settings/class-sp-settings-general.php
+++ b/includes/admin/settings/class-sp-settings-general.php
@@ -281,27 +281,27 @@ if ( ! class_exists( 'SP_Settings_General' ) ) :
 			SP_Admin_Settings::save_fields( $settings );
 
 			// Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
-			if ( ! empty( $_POST['timezone_string'] ) && preg_match( '/^UTC[+-]/', $_POST['timezone_string'] ) ) {
-				$_POST['gmt_offset']      = preg_replace( '/UTC\+?/', '', sanitize_text_field( $_POST['timezone_string'] ) );
+			if ( ! empty( $_POST['timezone_string'] ) && preg_match( '/^UTC[+-]/', $_POST['timezone_string'] ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+				$_POST['gmt_offset']      = preg_replace( '/UTC\+?/', '', sanitize_text_field( wp_unslash( $_POST['timezone_string'] ) ) );
 				$_POST['timezone_string'] = '';
 			}
 
 			if ( isset( $_POST['timezone_string'] ) ) {
-				update_option( 'timezone_string', sanitize_option( 'timezone_string', $_POST['timezone_string'] ) );
+				update_option( 'timezone_string', sanitize_option( 'timezone_string', wp_unslash( $_POST['timezone_string'] ) ) );
 			}
 
 			if ( isset( $_POST['gmt_offset'] ) ) {
-				update_option( 'gmt_offset', sanitize_option( 'gmt_offset', $_POST['gmt_offset'] ) );
+				update_option( 'gmt_offset', sanitize_option( 'gmt_offset', wp_unslash( $_POST['gmt_offset'] ) ) );
 			}
 
 			if ( isset( $_POST['sportspress_frontend_css_primary'] ) ) {
 
 				// Save settings
-				$primary    = ( ! empty( $_POST['sportspress_frontend_css_primary'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_primary'] ) : '';
-				$background = ( ! empty( $_POST['sportspress_frontend_css_background'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_background'] ) : '';
-				$text       = ( ! empty( $_POST['sportspress_frontend_css_text'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_text'] ) : '';
-				$heading    = ( ! empty( $_POST['sportspress_frontend_css_heading'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_heading'] ) : '';
-				$link       = ( ! empty( $_POST['sportspress_frontend_css_link'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_link'] ) : '';
+				$primary    = ( ! empty( $_POST['sportspress_frontend_css_primary'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_primary'] ) ) ) : '';
+				$background = ( ! empty( $_POST['sportspress_frontend_css_background'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_background'] ) ) ) : '';
+				$text       = ( ! empty( $_POST['sportspress_frontend_css_text'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_text'] ) ) ) : '';
+				$heading    = ( ! empty( $_POST['sportspress_frontend_css_heading'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_heading'] ) ) ) : '';
+				$link       = ( ! empty( $_POST['sportspress_frontend_css_link'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_link'] ) ) ) : '';
 				$customize  = ( ! empty( $_POST['sportspress_frontend_css_customize'] ) ) ? 1 : '';
 
 				$colors = array(
diff --git a/includes/admin/settings/class-sp-settings-licenses.php b/includes/admin/settings/class-sp-settings-licenses.php
index 5036d6fd..6b162854 100644
--- a/includes/admin/settings/class-sp-settings-licenses.php
+++ b/includes/admin/settings/class-sp-settings-licenses.php
@@ -134,7 +134,7 @@ if ( ! class_exists( 'SP_Settings_Licenses' ) ) :
 			}
 
 			// retrieve the license key
-			$license = trim( sanitize_text_field( $_POST[ 'sp_license_key_' . $id ] ) );
+			$license = trim( sanitize_text_field( wp_unslash( $_POST[ 'sp_license_key_' . $id ] ) ) );
 
 			// get the name of the product
 			$name = $this->licenses[ $id ]['name'];
@@ -189,7 +189,7 @@ if ( ! class_exists( 'SP_Settings_Licenses' ) ) :
 			}
 
 			// retrieve the license key
-			$license = trim( sanitize_text_field( $_POST[ 'sp_license_key_' . $id ] ) );
+			$license = trim( sanitize_text_field( wp_unslash( $_POST[ 'sp_license_key_' . $id ] ) ) );
 
 			// get the name of the product
 			$name = $this->licenses[ $id ]['name'];
diff --git a/includes/admin/settings/class-sp-settings-page.php b/includes/admin/settings/class-sp-settings-page.php
index 8bc3a5a1..8619b350 100644
--- a/includes/admin/settings/class-sp-settings-page.php
+++ b/includes/admin/settings/class-sp-settings-page.php
@@ -81,7 +81,7 @@ if ( ! class_exists( 'SP_Settings_Page' ) ) :
 			}
 
 			if ( isset( $_POST['sportspress_template_visibility'] ) && is_array( $_POST['sportspress_template_visibility'] ) ) {
-				foreach ( $_POST['sportspress_template_visibility'] as $option => $toggled ) {
+				foreach ( $_POST['sportspress_template_visibility'] as $option => $toggled ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 					if ( $toggled ) {
 						update_option( $option, 'yes' );
 					} else {
diff --git a/includes/admin/settings/class-sp-settings-status.php b/includes/admin/settings/class-sp-settings-status.php
index 980974cb..c18f936c 100644
--- a/includes/admin/settings/class-sp-settings-status.php
+++ b/includes/admin/settings/class-sp-settings-status.php
@@ -87,7 +87,7 @@ if ( ! class_exists( 'SP_Settings_Status' ) ) :
 				</tr>
 				<tr>
 					<td><?php esc_html_e( 'Web Server Info', 'sportspress' ); ?>:</td>
-					<td><?php echo esc_html( $_SERVER['SERVER_SOFTWARE'] ); ?></td>
+					<td><?php echo esc_html( wp_unslash( $_SERVER['SERVER_SOFTWARE'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput ?></td>
 				</tr>
 				<tr>
 					<td><?php esc_html_e( 'PHP Version', 'sportspress' ); ?>:</td>
diff --git a/includes/admin/settings/class-sp-settings-text.php b/includes/admin/settings/class-sp-settings-text.php
index ecf9c385..7b20a7a9 100644
--- a/includes/admin/settings/class-sp-settings-text.php
+++ b/includes/admin/settings/class-sp-settings-text.php
@@ -81,7 +81,7 @@ if ( ! class_exists( 'SP_Settings_Text' ) ) :
 		 */
 		public function save() {
 			if ( isset( $_POST['sportspress_text'] ) ) {
-				update_option( 'sportspress_text', array_map( 'sanitize_text_field', $_POST['sportspress_text'] ) );
+				update_option( 'sportspress_text', array_map( 'sanitize_text_field', array_map( 'wp_unslash', $_POST['sportspress_text'] ) ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			}
 		}
 	}
diff --git a/includes/admin/views/html-admin-page-status.php b/includes/admin/views/html-admin-page-status.php
index c3a877e8..ed3c65a3 100644
--- a/includes/admin/views/html-admin-page-status.php
+++ b/includes/admin/views/html-admin-page-status.php
@@ -46,7 +46,7 @@
 		</tr>
 		<tr>
 			<td><?php esc_attr_e( 'Web Server Info', 'sportspress' ); ?>:</td>
-			<td><?php echo esc_html( $_SERVER['SERVER_SOFTWARE'] ); ?></td>
+			<td><?php echo esc_html( $_SERVER['SERVER_SOFTWARE'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput ?></td>
 		</tr>
 		<tr>
 			<td><?php esc_attr_e( 'PHP Version', 'sportspress' ); ?>:</td>
diff --git a/includes/sp-core-functions.php b/includes/sp-core-functions.php
index 5342585d..8fc79ec9 100644
--- a/includes/sp-core-functions.php
+++ b/includes/sp-core-functions.php
@@ -309,7 +309,7 @@ if ( ! function_exists( 'sp_nonce' ) ) {
 if ( ! function_exists( 'sp_get_option' ) ) {
 	function sp_get_option( $option, $default = null ) {
 		if ( isset( $_POST[ $option ] ) ) {
-			return $_POST[ $option ];
+			sanitize_text_field( wp_unslash( $_POST[ $option ] ) );
 		} else {
 			return get_option( $option, $default );
 		}
diff --git a/includes/sp-template-hooks.php b/includes/sp-template-hooks.php
index c394e472..afa969b0 100644
--- a/includes/sp-template-hooks.php
+++ b/includes/sp-template-hooks.php
@@ -235,16 +235,16 @@ function sportspress_sanitize_title( $title ) {
 
 		return $title;
 
-	elseif ( isset( $_POST ) && array_key_exists( 'post_type', $_POST ) && is_sp_config_type( $_POST['post_type'] ) ) :
+	elseif ( isset( $_POST ) && array_key_exists( 'post_type', $_POST ) && is_sp_config_type( sanitize_key( $_POST['post_type'] ) ) ) :
 
-		$key = isset( $_POST['sp_key'] ) ? sanitize_text_field( $_POST['sp_key'] ) : null;
+		$key = isset( $_POST['sp_key'] ) ? sanitize_text_field( wp_unslash( $_POST['sp_key'] ) ) : null;
 
 		if ( ! $key ) {
-			$key = isset( $_POST['sp_default_key'] ) ? sanitize_text_field( $_POST['sp_default_key'] ) : null;
+			$key = isset( $_POST['sp_default_key'] ) ? sanitize_text_field( wp_unslash( $_POST['sp_default_key'] ) ) : null;
 		}
 
 		if ( ! $key ) {
-			$key = sanitize_text_field( $_POST['post_title'] );
+			$key = sanitize_text_field( wp_unslash( $_POST['post_title'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 		}
 
 		$id = sp_array_value( $_POST, 'post_ID', 'var', 'text' );
diff --git a/modules/sportspress-comments-scheduled-events.php b/modules/sportspress-comments-scheduled-events.php
index 3d8da987..da503e59 100644
--- a/modules/sportspress-comments-scheduled-events.php
+++ b/modules/sportspress-comments-scheduled-events.php
@@ -54,10 +54,10 @@ if ( ! class_exists( 'SportsPress_Comments_Scheduled_Events' ) ) :
 
 			do_action( 'pre_comment_on_post', $comment_post_ID );
 
-			$comment_author       = ( isset( $_POST['author'] ) ) ? trim( strip_tags( $_POST['author'] ) ) : null;
-			$comment_author_email = ( isset( $_POST['email'] ) ) ? sanitize_email( trim( $_POST['email'] ) ) : null;
-			$comment_author_url   = ( isset( $_POST['url'] ) ) ? esc_url( trim( $_POST['url'] ) ) : null;
-			$comment_content      = ( isset( $_POST['comment'] ) ) ? esc_textarea( trim( $_POST['comment'] ) ) : null;
+			$comment_author       = ( isset( $_POST['author'] ) ) ? trim( strip_tags( sanitize_text_field( wp_unslash( $_POST['author'] ) ) ) ) : null;
+			$comment_author_email = ( isset( $_POST['email'] ) ) ? trim( sanitize_email( wp_unslash( $_POST['email'] ) ) ) : null;
+			$comment_author_url   = ( isset( $_POST['url'] ) ) ? trim( sanitize_url( wp_unslash( $_POST['url'] ) ) ) : null; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+			$comment_content      = ( isset( $_POST['comment'] ) ) ? trim( sanitize_text_field( wp_unslash( $_POST['comment'] ) ) ) : null;
 
 			// If the user is logged in
 			$user = wp_get_current_user();
@@ -136,7 +136,7 @@ if ( ! class_exists( 'SportsPress_Comments_Scheduled_Events' ) ) :
 				wp_set_comment_status( $comment_id, 'approve' );
 			}
 
-			$location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment_id ) : $_POST['redirect_to'] . '#comment-' . $comment_id;
+			$location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment_id ) : sanitize_url( wp_unslash( $_POST['redirect_to'] ) ) . '#comment-' . $comment_id; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 
 			$location = apply_filters( 'comment_post_redirect', $location, $comment );
 
diff --git a/modules/sportspress-overview.php b/modules/sportspress-overview.php
index 2c3b5136..275d223d 100644
--- a/modules/sportspress-overview.php
+++ b/modules/sportspress-overview.php
@@ -262,7 +262,7 @@ endif;
 
 					<?php
 					if ( isset( $_GET['term'] ) ) :
-						$term = get_term( $_GET['term'], $taxonomy ); // Posts in term
+						$term = get_term( sanitize_key( $_GET['term'] ), $taxonomy ); // Posts in term
 						?>
 
 						<ul class="sp-utility">
@@ -910,7 +910,7 @@ endforeach;
 					
 						<?php
 						$post_object     = get_post_type_object( $post_type );
-						$taxonomy_object = get_taxonomy( $_GET['taxonomy'] );
+						$taxonomy_object = get_taxonomy( sanitize_key( $_GET['taxonomy'] ) );
 						?>
 
 						<?php
diff --git a/modules/sportspress-tutorials.php b/modules/sportspress-tutorials.php
index cc27b229..0648a186 100644
--- a/modules/sportspress-tutorials.php
+++ b/modules/sportspress-tutorials.php
@@ -194,7 +194,7 @@ if ( ! class_exists( 'SportsPress_Tutorials' ) ) :
 					'advanced'  => esc_attr__( 'Advanced', 'sportspress' ),
 				)
 			);
-			if ( isset( $_GET['tab'] ) && array_key_exists( $_GET['tab'], $tabs ) ) {
+			if ( isset( $_GET['tab'] ) && array_key_exists( wp_unslash( $_GET['tab'] ), $tabs ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 				$current_tab = sanitize_key( $_GET['tab'] );
 			} else {
 				$current_tab = key( $tabs );
diff --git a/modules/sportspress-user-registration.php b/modules/sportspress-user-registration.php
index 226aa892..d260f1db 100644
--- a/modules/sportspress-user-registration.php
+++ b/modules/sportspress-user-registration.php
@@ -105,8 +105,8 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
 		 */
 		public static function register_form() {
 			if ( 'yes' === get_option( 'sportspress_registration_name_inputs', 'no' ) ) {
-				$first_name = ( ! empty( $_POST['first_name'] ) ) ? trim( sanitize_text_field( $_POST['first_name'] ) ) : '';
-				$last_name  = ( ! empty( $_POST['last_name'] ) ) ? trim( sanitize_text_field( $_POST['last_name'] ) ) : '';
+				$first_name = ( ! empty( $_POST['first_name'] ) ) ? trim( sanitize_text_field( wp_unslash( $_POST['first_name'] ) ) ) : '';
+				$last_name  = ( ! empty( $_POST['last_name'] ) ) ? trim( sanitize_text_field( wp_unslash( $_POST['last_name'] ) ) ) : '';
 				?>
 	  <p>
 		  <label for="first_name"><?php esc_attr_e( 'First Name', 'sportspress' ); ?><br />
@@ -149,22 +149,22 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
 			// Save first and last name
 			if ( 'yes' === get_option( 'sportspress_registration_name_inputs', 'no' ) ) {
 				if ( ! empty( $_POST['first_name'] ) ) {
-					$meta    = trim( sanitize_text_field( $_POST['first_name'] ) );
+					$meta    = trim( sanitize_text_field( wp_unslash( $_POST['first_name'] ) ) );
 					$parts[] = $meta;
 					update_user_meta( $user_id, 'first_name', $meta );
 				}
 
 				if ( ! empty( $_POST['last_name'] ) ) {
-					$meta    = trim( sanitize_text_field( $_POST['last_name'] ) );
+					$meta    = trim( sanitize_text_field( wp_unslash( $_POST['last_name'] ) ) );
 					$parts[] = $meta;
 					update_user_meta( $user_id, 'last_name', $meta );
 				}
 			}
 
 			// Add team from team name
-			if ( isset( $_POST['sp_register_form_team'] ) && wp_verify_nonce( $_POST['sp_register_form_team'], 'submit_team_name' ) ) {
+			if ( isset( $_POST['sp_register_form_team'] ) && wp_verify_nonce( sanitize_key( $_POST['sp_register_form_team'] ), 'submit_team_name' ) ) {
 				if ( ! empty( $_POST['team_name'] ) ) {
-					$team_name           = trim( sanitize_text_field( $_POST['team_name'] ) );
+					$team_name           = trim( sanitize_text_field( wp_unslash( $_POST['team_name'] ) ) );
 					$post['post_type']   = 'sp_team';
 					$post['post_title']  = $team_name;
 					$post['post_author'] = $user_id;
@@ -174,9 +174,9 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
 			}
 
 			// Save team
-			if ( isset( $_POST['sp_register_form_player'] ) && wp_verify_nonce( $_POST['sp_register_form_player'], 'submit_team' ) ) {
+			if ( isset( $_POST['sp_register_form_player'] ) && wp_verify_nonce( sanitize_key( $_POST['sp_register_form_player'] ), 'submit_team' ) ) {
 				if ( ! empty( $_POST['sp_team'] ) ) {
-					$team = trim( sanitize_text_field( $_POST['sp_team'] ) );
+					$team = trim( sanitize_text_field( wp_unslash( $_POST['sp_team'] ) ) );
 					if ( $team <= 0 ) {
 						$team = 0;
 					}
@@ -187,7 +187,7 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
 			// Add player
 			if ( 'yes' === get_option( 'sportspress_registration_add_player', 'no' ) ) {
 				if ( ! sizeof( $parts ) && ! empty( $_POST['user_login'] ) ) {
-					$parts[] = trim( sanitize_text_field( $_POST['user_login'] ) );
+					$parts[] = trim( sanitize_text_field( wp_unslash( $_POST['user_login'] ) ) );
 				}
 
 				if ( sizeof( $parts ) ) {
diff --git a/templates/event-calendar.php b/templates/event-calendar.php
index 7dc68e83..d37d703a 100644
--- a/templates/event-calendar.php
+++ b/templates/event-calendar.php
@@ -97,8 +97,8 @@ if ( empty( $events ) ) {
 $week_begins = intval( get_option( 'start_of_week' ) );
 
 // Get year and month from query vars
-$year     = isset( $_GET['sp_year'] ) ? $_GET['sp_year'] : $year;
-$monthnum = isset( $_GET['sp_month'] ) ? $_GET['sp_month'] : $monthnum;
+$year     = isset( $_GET['sp_year'] ) ? sanitize_text_field( wp_unslash( $_GET['sp_year'] ) ) : $year;
+$monthnum = isset( $_GET['sp_month'] ) ? sanitize_text_field( wp_unslash( $_GET['sp_month'] ) ) : $monthnum;
 
 // Let's figure out when we are
 if ( ! empty( $monthnum ) && ! empty( $year ) ) {
@@ -220,7 +220,7 @@ if ( $dayswithposts ) {
 	$daywithpost = array();
 }
 
-if ( array_key_exists( 'HTTP_USER_AGENT', $_SERVER ) && preg_match( '/(MSIE|camino|safari)/', $_SERVER['HTTP_USER_AGENT'] ) ) {
+if ( array_key_exists( 'HTTP_USER_AGENT', $_SERVER ) && preg_match( '/(MSIE|camino|safari)/', wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 	$ak_title_separator = "\n";
 } else {
 	$ak_title_separator = ', ';