From e24a9fa4eb134ce1b223954e82d9d65c95a72d2e Mon Sep 17 00:00:00 2001
From: savvasha <savvasha@hotmail.com>
Date: Sat, 6 Nov 2021 12:34:49 +0200
Subject: [PATCH] Escape output vars of includes files (#1)

---
 includes/class-sp-ajax.php            | 10 +++++-----
 includes/class-sp-countries.php       |  4 ++--
 includes/class-sp-shortcodes.php      |  4 ++--
 includes/class-sp-template-loader.php |  2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/includes/class-sp-ajax.php b/includes/class-sp-ajax.php
index 1abf0592..ca6080a3 100644
--- a/includes/class-sp-ajax.php
+++ b/includes/class-sp-ajax.php
@@ -554,7 +554,7 @@ class SP_AJAX {
 						<option value="default">Default</option>
 						<option value="all">All</option>
 						<?php foreach ( SP()->formats->event as $key => $format ): ?>
-							<option value="<?php echo $key; ?>"><?php echo $format; ?></option>
+							<option value="<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></option>
 						<?php endforeach; ?>
 					</select>
 				</label>
@@ -634,7 +634,7 @@ class SP_AJAX {
 				$field_id = 'columns';
 				?>
 				<?php foreach ( $the_columns as $key => $label ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $key; ?>" value="<?php echo $key; ?>" checked="checked"><?php echo $label; ?></label>
+					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $key; ?>" value="<?php echo $key; ?>" checked="checked"><?php echo esc_html( $label ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
@@ -761,7 +761,7 @@ class SP_AJAX {
 					<option value="default">Default</option>
 					<option value="all">All</option>
 					<?php foreach ( SP()->formats->event as $key => $format ): ?>
-					<option value="<?php echo $key; ?>"><?php echo $format; ?></option>
+					<option value="<?php echo esc_attr( $key ); ?>"><?php echo esc_attr( $format ); ?></option>
 					<?php endforeach; ?>
 					</select>
 				</label>
@@ -898,7 +898,7 @@ class SP_AJAX {
 				$field_id = 'columns';
 				?>
 				<?php foreach ( $the_columns as $column ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $column->post_name; ?>" value="<?php echo $column->post_name; ?>" checked="checked"><?php echo $column->post_title; ?></label>
+					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
@@ -1152,7 +1152,7 @@ class SP_AJAX {
 				<label class="button"><input name="columns[]" type="checkbox" id="columns-team" value="team" checked="checked"><?php _e( 'Team', 'sportspress' ); ?></label>
 				<label class="button"><input name="columns[]" type="checkbox" id="columns-position" value="position" checked="checked"><?php _e( 'Position', 'sportspress' ); ?></label>
 				<?php foreach ( $the_columns as $column ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $column->post_name; ?>" value="<?php echo $column->post_name; ?>" checked="checked"><?php echo $column->post_title; ?></label>
+					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
diff --git a/includes/class-sp-countries.php b/includes/class-sp-countries.php
index a3c00e3b..b56ddb17 100644
--- a/includes/class-sp-countries.php
+++ b/includes/class-sp-countries.php
@@ -748,9 +748,9 @@ class SP_Countries {
 	public function country_dropdown_options( $selected_country = '', $escape = false ) {
 		if ( $this->continents ) foreach ( $this->continents as $continent => $countries ):
 			?>
-				<optgroup label="<?php echo $continent; ?>">
+				<optgroup label="<?php echo esc_attr( $continent ); ?>">
 					<?php foreach ( $countries as $code => $country ): ?>
-						<option value="<?php echo $code; ?>" <?php selected ( $selected_country, $code ); ?>><?php echo $country; ?></option>
+						<option value="<?php echo esc_attr( $code ); ?>" <?php selected ( $selected_country, $code ); ?>><?php echo esc_html( $country ); ?></option>
 					<?php endforeach; ?>
 				</optgroup>
 			<?php
diff --git a/includes/class-sp-shortcodes.php b/includes/class-sp-shortcodes.php
index 89fbb4a4..969e102a 100644
--- a/includes/class-sp-shortcodes.php
+++ b/includes/class-sp-shortcodes.php
@@ -66,9 +66,9 @@ class SP_Shortcodes {
 		$before 	= empty( $wrapper['before'] ) ? '<div class="' . esc_attr( $wrapper['class'] ) . '">' : $wrapper['before'];
 		$after 		= empty( $wrapper['after'] ) ? '</div>' : $wrapper['after'];
 
-		echo $before;
+		echo esc_html( $before );
 		call_user_func( $function, $atts );
-		echo $after;
+		echo esc_html( $after );
 
 		return ob_get_clean();
 	}
diff --git a/includes/class-sp-template-loader.php b/includes/class-sp-template-loader.php
index 9c3a2422..bf33b81e 100644
--- a/includes/class-sp-template-loader.php
+++ b/includes/class-sp-template-loader.php
@@ -80,7 +80,7 @@ class SP_Template_Loader {
 				// Render the template
 				echo '<div class="sp-section-content sp-section-content-' . $key . '">';
 				if ( 'content' === $key ) {
-					echo $content;
+					echo wp_kses_post( $content );
 					// Template content hook
 					do_action( 'sportspress_single_' . $type . '_content' );
 				} else {