From f07f42b5c928da792c55709faedae21755121ffc Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Sat, 6 Nov 2021 19:03:26 +0900
Subject: [PATCH] Sanitize instead of escape inputs

---
 includes/admin/importers/class-sp-importer.php         | 2 +-
 includes/admin/post-types/class-sp-admin-cpt-event.php | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/includes/admin/importers/class-sp-importer.php b/includes/admin/importers/class-sp-importer.php
index 9c2568ce..78c91b96 100644
--- a/includes/admin/importers/class-sp-importer.php
+++ b/includes/admin/importers/class-sp-importer.php
@@ -231,7 +231,7 @@ if ( class_exists( 'WP_Importer' ) ) {
 
 				if ( file_exists( ABSPATH . $_POST['file_url'] ) ) {
 
-					$this->file_url = esc_attr( $_POST['file_url'] );
+					$this->file_url = sanitize_url( $_POST['file_url'] );
 
 				} else {
 
diff --git a/includes/admin/post-types/class-sp-admin-cpt-event.php b/includes/admin/post-types/class-sp-admin-cpt-event.php
index 02236359..cd33a221 100644
--- a/includes/admin/post-types/class-sp-admin-cpt-event.php
+++ b/includes/admin/post-types/class-sp-admin-cpt-event.php
@@ -262,7 +262,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 	    if ( $typenow != 'sp_event' )
 	    	return;
 
-		$selected = isset( $_REQUEST['team'] ) ? esc_attr( $_REQUEST['team'] ) : null;
+		$selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
 		$args = array(
 			'post_type' => 'sp_team',
 			'name' => 'team',
@@ -272,7 +272,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 		);
 		wp_dropdown_pages( $args );
 
-		$selected = isset( $_REQUEST['sp_league'] ) ? esc_attr( $_REQUEST['sp_league'] ) : null;
+		$selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all leagues', 'sportspress' ),
 			'taxonomy' => 'sp_league',
@@ -281,7 +281,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['sp_season'] ) ? esc_attr( $_REQUEST['sp_season'] ) : null;
+		$selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
 		$args = array(
 			'show_option_all' =>  __( 'Show all seasons', 'sportspress' ),
 			'taxonomy' => 'sp_season',
@@ -290,7 +290,7 @@ class SP_Admin_CPT_Event extends SP_Admin_CPT {
 		);
 		sp_dropdown_taxonomies( $args );
 
-		$selected = isset( $_REQUEST['match_day'] ) ? esc_attr( $_REQUEST['match_day'] ) : null;
+		$selected = isset( $_REQUEST['match_day'] ) ? sanitize_text_field( $_REQUEST['match_day'] ) : null;
 		echo '<input name="match_day" type="text" class="sp-tablenav-input" placeholder="' . __( 'Match Day', 'sportspress' ) . '" value="' . $selected . '">';
 
 		if ( current_user_can( 'edit_others_sp_events' ) )