Sanitize and unslash all inputs

includes/admin/settings/class-sp-settings-events.php

@@ -520,7 +520,7 @@ if ( ! class_exists( 'SP_Settings_Events' ) ) :
 			parent::save();
 
 			if ( isset( $_POST['sportspress_event_teams_delimiter'] ) ) {
-				update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
+				update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( wp_unslash( $_POST['sportspress_event_teams_delimiter'] ) ) );
 			}
 		}
 

includes/admin/settings/class-sp-settings-general.php

@@ -281,27 +281,27 @@ if ( ! class_exists( 'SP_Settings_General' ) ) :
 			SP_Admin_Settings::save_fields( $settings );
 
 			// Map UTC+- timezones to gmt_offsets and set timezone_string to empty.
-			if ( ! empty( $_POST['timezone_string'] ) && preg_match( '/^UTC[+-]/', $_POST['timezone_string'] ) ) {
-				$_POST['gmt_offset']      = preg_replace( '/UTC\+?/', '', sanitize_text_field( $_POST['timezone_string'] ) );
+			if ( ! empty( $_POST['timezone_string'] ) && preg_match( '/^UTC[+-]/', $_POST['timezone_string'] ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+				$_POST['gmt_offset']      = preg_replace( '/UTC\+?/', '', sanitize_text_field( wp_unslash( $_POST['timezone_string'] ) ) );
 				$_POST['timezone_string'] = '';
 			}
 
 			if ( isset( $_POST['timezone_string'] ) ) {
-				update_option( 'timezone_string', sanitize_option( 'timezone_string', $_POST['timezone_string'] ) );
+				update_option( 'timezone_string', sanitize_option( 'timezone_string', wp_unslash( $_POST['timezone_string'] ) ) );
 			}
 
 			if ( isset( $_POST['gmt_offset'] ) ) {
-				update_option( 'gmt_offset', sanitize_option( 'gmt_offset', $_POST['gmt_offset'] ) );
+				update_option( 'gmt_offset', sanitize_option( 'gmt_offset', wp_unslash( $_POST['gmt_offset'] ) ) );
 			}
 
 			if ( isset( $_POST['sportspress_frontend_css_primary'] ) ) {
 
 				// Save settings
-				$primary    = ( ! empty( $_POST['sportspress_frontend_css_primary'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_primary'] ) : '';
-				$background = ( ! empty( $_POST['sportspress_frontend_css_background'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_background'] ) : '';
-				$text       = ( ! empty( $_POST['sportspress_frontend_css_text'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_text'] ) : '';
-				$heading    = ( ! empty( $_POST['sportspress_frontend_css_heading'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_heading'] ) : '';
-				$link       = ( ! empty( $_POST['sportspress_frontend_css_link'] ) ) ? sp_format_hex( $_POST['sportspress_frontend_css_link'] ) : '';
+				$primary    = ( ! empty( $_POST['sportspress_frontend_css_primary'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_primary'] ) ) ) : '';
+				$background = ( ! empty( $_POST['sportspress_frontend_css_background'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_background'] ) ) ) : '';
+				$text       = ( ! empty( $_POST['sportspress_frontend_css_text'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_text'] ) ) ) : '';
+				$heading    = ( ! empty( $_POST['sportspress_frontend_css_heading'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_heading'] ) ) ) : '';
+				$link       = ( ! empty( $_POST['sportspress_frontend_css_link'] ) ) ? sp_format_hex( sanitize_text_field( wp_unslash( $_POST['sportspress_frontend_css_link'] ) ) ) : '';
 				$customize  = ( ! empty( $_POST['sportspress_frontend_css_customize'] ) ) ? 1 : '';
 
 				$colors = array(

includes/admin/settings/class-sp-settings-licenses.php

@@ -134,7 +134,7 @@ if ( ! class_exists( 'SP_Settings_Licenses' ) ) :
 			}
 
 			// retrieve the license key
-			$license = trim( sanitize_text_field( $_POST[ 'sp_license_key_' . $id ] ) );
+			$license = trim( sanitize_text_field( wp_unslash( $_POST[ 'sp_license_key_' . $id ] ) ) );
 
 			// get the name of the product
 			$name = $this->licenses[ $id ]['name'];
@@ -189,7 +189,7 @@ if ( ! class_exists( 'SP_Settings_Licenses' ) ) :
 			}
 
 			// retrieve the license key
-			$license = trim( sanitize_text_field( $_POST[ 'sp_license_key_' . $id ] ) );
+			$license = trim( sanitize_text_field( wp_unslash( $_POST[ 'sp_license_key_' . $id ] ) ) );
 
 			// get the name of the product
 			$name = $this->licenses[ $id ]['name'];

includes/admin/settings/class-sp-settings-page.php

@@ -81,7 +81,7 @@ if ( ! class_exists( 'SP_Settings_Page' ) ) :
 			}
 
 			if ( isset( $_POST['sportspress_template_visibility'] ) && is_array( $_POST['sportspress_template_visibility'] ) ) {
-				foreach ( $_POST['sportspress_template_visibility'] as $option => $toggled ) {
+				foreach ( $_POST['sportspress_template_visibility'] as $option => $toggled ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 					if ( $toggled ) {
 						update_option( $option, 'yes' );
 					} else {

includes/admin/settings/class-sp-settings-status.php

@@ -87,7 +87,7 @@ if ( ! class_exists( 'SP_Settings_Status' ) ) :
 				</tr>
 				<tr>
 					<td><?php esc_html_e( 'Web Server Info', 'sportspress' ); ?>:</td>
-					<td><?php echo esc_html( $_SERVER['SERVER_SOFTWARE'] ); ?></td>
+					<td><?php echo esc_html( wp_unslash( $_SERVER['SERVER_SOFTWARE'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput ?></td>
 				</tr>
 				<tr>
 					<td><?php esc_html_e( 'PHP Version', 'sportspress' ); ?>:</td>

includes/admin/settings/class-sp-settings-text.php

@@ -81,7 +81,7 @@ if ( ! class_exists( 'SP_Settings_Text' ) ) :
 		 */
 		public function save() {
 			if ( isset( $_POST['sportspress_text'] ) ) {
-				update_option( 'sportspress_text', array_map( 'sanitize_text_field', $_POST['sportspress_text'] ) );
+				update_option( 'sportspress_text', array_map( 'sanitize_text_field', array_map( 'wp_unslash', $_POST['sportspress_text'] ) ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
 			}
 		}
 	}