From e58beb120106eef13097a84291a2356af00532bc Mon Sep 17 00:00:00 2001
From: Savvas Hadjigeorgiou <savvasha@hotmail.com>
Date: Tue, 9 Nov 2021 08:24:23 +0200
Subject: [PATCH] Escaping vars from class-sp-ajax, class-sp-settings-status,
 class-sp-template-loader, class-sp-admin-dashboard and
 class-sp-widget-birthdays

---
 includes/admin/class-sp-admin-dashboard.php          | 2 +-
 includes/admin/settings/class-sp-settings-status.php | 6 +++---
 includes/class-sp-ajax.php                           | 6 +++---
 includes/class-sp-template-loader.php                | 2 +-
 includes/widgets/class-sp-widget-birthdays.php       | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/includes/admin/class-sp-admin-dashboard.php b/includes/admin/class-sp-admin-dashboard.php
index bafd2ddd..570ec260 100644
--- a/includes/admin/class-sp-admin-dashboard.php
+++ b/includes/admin/class-sp-admin-dashboard.php
@@ -54,7 +54,7 @@ class SP_Admin_Dashboard {
                 else:
                     $output = '<span>' . $text . '</span>';
                 endif;
-                echo '<li class="post-count ' . $post_type->name . '-count">' . $output . '</li>';
+                echo '<li class="post-count ' . eac_attr( $post_type->name ) . '-count">' . esc_html( $output ) . '</li>';
             endif;
         endforeach;
         return $items;
diff --git a/includes/admin/settings/class-sp-settings-status.php b/includes/admin/settings/class-sp-settings-status.php
index eae3cb45..d57028fd 100644
--- a/includes/admin/settings/class-sp-settings-status.php
+++ b/includes/admin/settings/class-sp-settings-status.php
@@ -245,7 +245,7 @@ class SP_Settings_Status extends SP_Settings_Page {
 						if ( sizeof( $sp_plugins ) == 0 )
 							echo '-';
 						else
-							echo implode( ', <br/>', $sp_plugins );
+							echo implode( ', <br/>', array_map( 'wp_kses_post', $sp_plugins ) );
 
 					?></td>
 				</tr>
@@ -510,8 +510,8 @@ class SP_Settings_Status extends SP_Settings_Page {
 						if ( $found_files ) {
 							foreach ( $found_files as $plugin_name => $found_plugin_files ) {
 								?>
-								<td><?php _e( 'Template Overrides', 'sportspress' ); ?> (<?php echo $plugin_name; ?>):</td>
-								<td><?php echo implode( ', <br/>', $found_plugin_files ); ?></td>
+								<td><?php _e( 'Template Overrides', 'sportspress' ); ?> (<?php echo wp_kses_post( $plugin_name ); ?>):</td>
+								<td><?php echo implode( ', <br/>', array_map( 'wp_kses_post', $found_plugin_files ) ); ?></td>
 								<?php
 							}
 						} else {
diff --git a/includes/class-sp-ajax.php b/includes/class-sp-ajax.php
index 174a90a0..8ef5e10f 100644
--- a/includes/class-sp-ajax.php
+++ b/includes/class-sp-ajax.php
@@ -634,7 +634,7 @@ class SP_AJAX {
 				$field_id = 'columns';
 				?>
 				<?php foreach ( $the_columns as $key => $label ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . $key; ?>" value="<?php echo $key; ?>" checked="checked"><?php echo esc_html( $label ); ?></label>
+					<label class="button"><input name="<?php echo esc_attr( $field_name ); ?>" type="checkbox" id="<?php echo esc_attr( $field_id ) . '-' . esc_attr( $key ); ?>" value="<?php echo esc_attr( $key ); ?>" checked="checked"><?php echo esc_html( $label ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
@@ -898,7 +898,7 @@ class SP_AJAX {
 				$field_id = 'columns';
 				?>
 				<?php foreach ( $the_columns as $column ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
+					<label class="button"><input name="<?php echo esc_attr( $field_name ); ?>" type="checkbox" id="<?php echo esc_attr( $field_id ) . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
@@ -1152,7 +1152,7 @@ class SP_AJAX {
 				<label class="button"><input name="columns[]" type="checkbox" id="columns-team" value="team" checked="checked"><?php _e( 'Team', 'sportspress' ); ?></label>
 				<label class="button"><input name="columns[]" type="checkbox" id="columns-position" value="position" checked="checked"><?php _e( 'Position', 'sportspress' ); ?></label>
 				<?php foreach ( $the_columns as $column ): ?>
-					<label class="button"><input name="<?php echo $field_name; ?>" type="checkbox" id="<?php echo $field_id . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
+					<label class="button"><input name="<?php echo esc_attr( $field_name ); ?>" type="checkbox" id="<?php echo esc_attr( $field_id ) . '-' . esc_attr( $column->post_name ); ?>" value="<?php echo esc_attr( $column->post_name ); ?>" checked="checked"><?php echo esc_html( $column->post_title ); ?></label>
 				<?php endforeach; ?>
 			</p>
 			<p>
diff --git a/includes/class-sp-template-loader.php b/includes/class-sp-template-loader.php
index 5778ec15..710180e4 100644
--- a/includes/class-sp-template-loader.php
+++ b/includes/class-sp-template-loader.php
@@ -78,7 +78,7 @@ class SP_Template_Loader {
 				if ( 'yes' !== get_option( $template['option'], sp_array_value( $template, 'default', 'yes' ) ) ) continue;
 				
 				// Render the template
-				echo '<div class="sp-section-content sp-section-content-' . $key . '">';
+				echo '<div class="sp-section-content sp-section-content-' . esc_attr( $key ) . '">';
 				if ( 'content' === $key ) {
 					echo wp_kses_post( $content );
 					// Template content hook
diff --git a/includes/widgets/class-sp-widget-birthdays.php b/includes/widgets/class-sp-widget-birthdays.php
index 270cfe22..b656d055 100644
--- a/includes/widgets/class-sp-widget-birthdays.php
+++ b/includes/widgets/class-sp-widget-birthdays.php
@@ -77,7 +77,7 @@ class SP_Widget_Birthdays extends WP_Widget {
 			<label for="<?php echo $this->get_field_id('birthday_format'); ?>"><?php _e( 'Format:', 'sportspress' ); ?></label>
 			<select name="<?php echo $this->get_field_name('birthday_format'); ?>" id="<?php echo $this->get_field_id('birthday_format'); ?>" class="postform widefat">
 				<?php foreach ( $birthday_options as $value => $label ) { ?>
-					<option value="<?php echo $value; ?>" <?php selected( $value, $birthday_format ); ?>><?php echo $label; ?></option>
+					<option value="<?php echo $value; ?>" <?php selected( $value, $birthday_format ); ?>><?php echo esc_html( $label ); ?></option>
 				<?php } ?>
 			</select>
 		</p>