Changeset 3270053

Timestamp:

04/10/2025 12:42:00 AM (11 months ago)

Author:

MarkODonnell

Message:

Committing version 4.8 for wordpress review.

Location:

team-rosters

Files:

• tags/4.7/css/mstw-tr-styles.css (modified) (1 diff)
• trunk/includes/mstw-tr-admin.php (modified) (8 diffs)
• trunk/includes/mstw-tr-csv-import-class.php (modified) (16 diffs)
• trunk/includes/mstw-tr-data-fields-columns-settings.php (modified) (5 diffs)
• trunk/includes/mstw-tr-player-cpt-admin.php (modified) (9 diffs)
• trunk/includes/mstw-tr-player-profiles-galleries-settings.php (modified) (1 diff)
• trunk/includes/mstw-tr-roster-color-settings.php (modified) (2 diffs)
• trunk/includes/mstw-tr-roster-table-settings.php (modified) (2 diffs)
• trunk/includes/mstw-tr-roster-tables-class.php (modified) (16 diffs)
• trunk/includes/mstw-tr-settings.php (modified) (7 diffs)
• trunk/includes/mstw-tr-team-roster-admin-class.php (modified) (18 diffs)
• trunk/includes/mstw-tr-team-tax-admin-class.php (modified) (8 diffs)
• trunk/includes/mstw-tr-utility-functions.php (modified) (17 diffs)
• trunk/includes/mstw-utility-functions.php (modified) (12 diffs)
• trunk/mstw-team-rosters.php (modified) (7 diffs)
• trunk/readme.txt (modified) (1 diff)
• trunk/theme-templates/single-player.php (modified) (11 diffs)
• trunk/theme-templates/taxonomy-team.php (modified) (2 diffs)

team-rosters/tags/4.7/css/mstw-tr-styles.css

@@ -367 +367 @@
 div.player-select-list,
 div.player-select-button {
-    /*float         : left;*/
+    float         : left;
     margin-left   : 5px;
     margin-right  : 5px;

team-rosters/trunk/includes/mstw-tr-admin.php

@@ -52 +52 @@
 if ( !is_admin( ) ) {
 
-    die( __( 'You is no admin. You a cheater!', 'team-rosters' ) );
+    die( esc_html__( 'You is no admin. You a cheater!', 'team-rosters' ) );
 }
 //
@@ -241 +241 @@
     global $current_screen;
     
-    wp_enqueue_style( 'tr-admin-styles', plugins_url( 'css/mstw-tr-admin-styles.css', dirname( __FILE__ ) ), array(), false, 'all' );
+    wp_enqueue_style( 'tr-admin-styles', 
+                                        plugins_url( 'css/mstw-tr-admin-styles.css', dirname( __FILE__ ) ), 
+                                        array( ), 
+                                        '4.9', 
+                                        array( )
+                                        );
     
     // This function loads in the required media files for the media manager
@@ -250 +255 @@
     wp_enqueue_media();
     
-    wp_enqueue_script( 'another-media', plugins_url( 'team-rosters/js/tr-another-media.js' ), null, false, true );
-    
-    wp_enqueue_style('thickbox');
+    wp_enqueue_script(  'another-media', 
+                                            plugins_url( 'team-rosters/js/tr-another-media.js' ), 
+                                            array( ), 
+                                            '4.9', 
+                                            array( )
+                                            );
+    
+    wp_enqueue_style( 'thickbox' );
     
     //
@@ -264 +274 @@
                            plugins_url( 'js/tr-manage-rosters.js', dirname( __FILE__ ) ), 
                            array( ), 
-                           false, true );
+                           '4.9', 
+                             array( )
+                             );
     }
     
@@ -274 +286 @@
                            plugins_url( 'js/tr-manage-teams.js', dirname( __FILE__ ) ), 
                            array( ), 
-                           false, true );
+                           '4.9', 
+                             array( )
+                             );
 
     }
@@ -282 +296 @@
                            plugins_url( 'js/tr-load-teams.js', dirname( __FILE__ ) ), 
                            array( ), 
-                           false, true );
+                           '4.9', 
+                             array( )
+                             );
     }
     
@@ -812 +828 @@
 ?>
 <div class="wrap">
-    <h2><?php _e( 'Team Rosters - Quick Start', 'team-rosters') ?></h2>
+    <h2><?php esc_html_e( 'Team Rosters - Quick Start', 'team-rosters') ?></h2>
     <h3>GETTING STARTED</h3>
     <ol>
-    <li><a href="<?php echo admin_url( '/edit-tags.php?taxonomy=mstw_tr_team&post_type=mstw_tr_player' ) ?>">TEAMS</a>. <?php _e('At least one team must exist before anything can be displayed via the shortcodes on the front end. Teams can be entered on this screen, or can be imported in bulk using the CSV IMPORT screen described below.', 'team-rosters' ) ?></li>
-    <li><a href="<?php echo admin_url( '/edit.php?post_type=mstw_tr_player' ) ?>">MANAGE PLAYERS</a>. <?php _e( 'After creating one or more teams, players must be added to them. Players may be added, edited, and deleted on this screen. However, there are faster ways to add players in bulk. See ADD PLAYERS TO ROSTERS and CSV IMPORT below.', 'team-rosters' )?></li>
-    <li><a href="<?php echo admin_url( '/admin.php?page=add-players-screen' ) ?>">ADD PLAYERS TO ROSTERS</a>.<?php _e( 'Multiple players may be added to a roster via this screen. While the same data as on the MANAGE PLAYERS screen must be entered, it can be entered more quickly on this screen.', 'team-rosters' )?></li>
-    <li><a href="<?php echo admin_url( '/admin.php?page=manage-team-rosters' ) ?>">EDIT ROSTERS</a>. <?php _e( 'Entire rosters may be edited or updated via this screen. While the same data as on the MANAGE PLAYERS screen must be entered, it can entered more quickly on this screen.', 'team-rosters' )?></li>
-    <li><a href="<?php echo admin_url( '/admin.php?page=mstw-tr-settings' ) ?>">SETTINGS</a>. <?php _e( 'Provides a rich set of controls for ROSTER TABLES, ROSTER GALLERIES, and SINGLE PLAYER PROFILES.', 'team-rosters' )?></li>
-    <li><a href="<?php echo admin_url( '/admin.php?page=mstw-tr-csv-import' ) ?>">CSV IMPORT</a>. <?php _e( 'Provides the ability to upload Teams and Players (including player photos) from CSV formatted files. Note that these CSV files can generated from previous version of MSTW Team Rosters using the MSTW CSV Exporter plugin, or created by hand using an editor. (Excel works great.)', 'team-rosters' )?></li>
+    <li><a href="<?php echo esc_url( admin_url( '/edit-tags.php?taxonomy=mstw_tr_team&post_type=mstw_tr_player' ) ) ?>">TEAMS</a>. <?php esc_html_e('At least one team must exist before anything can be displayed via the shortcodes on the front end. Teams can be entered on this screen, or can be imported in bulk using the CSV IMPORT screen described below.', 'team-rosters' ) ?></li>
+    <li><a href="<?php echo esc_url( admin_url( '/edit.php?post_type=mstw_tr_player' ) ) ?>">MANAGE PLAYERS</a>. <?php esc_html_e( 'After creating one or more teams, players must be added to them. Players may be added, edited, and deleted on this screen. However, there are faster ways to add players in bulk. See ADD PLAYERS TO ROSTERS and CSV IMPORT below.', 'team-rosters' )?></li>
+    <li><a href="<?php echo esc_url( admin_url( '/admin.php?page=add-players-screen' ) ) ?>">ADD PLAYERS TO ROSTERS</a>.<?php esc_html_e( 'Multiple players may be added to a roster via this screen. While the same data as on the MANAGE PLAYERS screen must be entered, it can be entered more quickly on this screen.', 'team-rosters' )?></li>
+    <li><a href="<?php echo esc_url( admin_url( '/admin.php?page=manage-team-rosters' ) ) ?>">EDIT ROSTERS</a>. <?php esc_html_e( 'Entire rosters may be edited or updated via this screen. While the same data as on the MANAGE PLAYERS screen must be entered, it can entered more quickly on this screen.', 'team-rosters' )?></li>
+    <li><a href="<?php echo esc_url( admin_url( '/admin.php?page=mstw-tr-settings' ) ) ?>">SETTINGS</a>. <?php esc_html_e( 'Provides a rich set of controls for ROSTER TABLES, ROSTER GALLERIES, and SINGLE PLAYER PROFILES.', 'team-rosters' )?></li>
+    <li><a href="<?php echo esc_url( admin_url( '/admin.php?page=mstw-tr-csv-import' ) ) ?>">CSV IMPORT</a>. <?php esc_html_e( 'Provides the ability to upload Teams and Players (including player photos) from CSV formatted files. Note that these CSV files can generated from previous version of MSTW Team Rosters using the MSTW CSV Exporter plugin, or created by hand using an editor. (Excel works great.)', 'team-rosters' )?></li>
     
     </ol>
@@ -828 +844 @@
     printf( 
     /* Translators: the arguments here are simply html formatting that does not require translation */
-    __( 'Team Rosters may be displayed in two formats: roster tables and roster galleries. Roster tables are displayed using the shortcode %1$s[mstw-tr-roster team=team-slug]%2$s Roster Galleries my be displayed using the shortcode %1$s[mstw-tr-gallery team=team-slug]%2$s or via the %3$staxonomy_team.php%4$s template. See the %5$sshortcodes man page%6$s for complete details.', 'team-rosters' ), '<blockquote><code>', '</code></blockquote>', '<strong><code>', '</code></strong>', '<a href="http://shoalsummitsolutions.com/tr-shortcodes/">', '</a>' ) ?>
+    esc_html__( 'Team Rosters may be displayed in two formats: roster tables and roster galleries. Roster tables are displayed using the shortcode %1$s[mstw-tr-roster team=team-slug]%2$s Roster Galleries my be displayed using the shortcode %1$s[mstw-tr-gallery team=team-slug]%2$s or via the %3$staxonomy_team.php%4$s template. See the %5$sshortcodes man page%6$s for complete details.', 'team-rosters' ), '<blockquote><code>', '</code></blockquote>', '<strong><code>', '</code></strong>', '<a href="http://shoalsummitsolutions.com/tr-shortcodes/">', '</a>' ) ?>
     </p>
     

team-rosters/trunk/includes/mstw-tr-csv-import-class.php

@@ -84 +84 @@
             <div class="wrap">
                 <?php //echo get_screen_icon(); ?>
-                <h2><?php _e( 'Import CSV Files', 'team-rosters' ) ?></h2>
+                <h2><?php esc_html_e( 'Import CSV Files', 'team-rosters' ) ?></h2>
                 
                 <p class='mstw-lm-admin-instructions'>
-                  <?php _e( 'Read the contextual help tab on the top right of this screen.', 'team-rosters' ) ?> 
+                  <?php esc_html_e( 'Read the contextual help tab on the top right of this screen.', 'team-rosters' ) ?> 
                 </p>
 
                 <!-- TEAMS import form -->
                 <form class="add:the-list: validate" method="post" enctype="multipart/form-data" action="">
+                    <?php wp_nonce_field( 'import-teams', 'mstw-tr-nonce' ); ?>
                     
                     <table class='form-table'>
-                    <thead><tr><th><?php _e( 'Teams', 'team-rosters' ) ?></th></tr></thead>
+                    <thead><tr><th><?php esc_html_e( 'Teams', 'team-rosters' ) ?></th></tr></thead>
                         
                         <tr>  <!-- CSV file selection field -->
-                            <td><label for="csv_teams_import"><?php _e( 'Teams CSV file:', 'team-rosters' ); ?></label></td>
+                            <td><label for="csv_teams_import"><?php esc_html_e( 'Teams CSV file:', 'team-rosters' ); ?></label></td>
                             <td><input name="csv_teams_import" id="csv_teams_import" type="file" value="" aria-required="true" />
                             <br/>
@@ -104 +105 @@
                         
                         <tr> <!-- Submit button -->
-                        <td colspan="2" class="submit tr-action-button"><input type="submit" class="button" name="submit" value="<?php _e( 'Import Teams', 'team-rosters' ); ?>"/></td>
+                        <td colspan="2" class="submit tr-action-button"><input type="submit" class="button" name="submit" value="<?php esc_html_e( 'Import Teams', 'team-rosters' ); ?>"/></td>
                         </tr>
                     
                     </table>
                 </form> <!--End: Teams import form -->
-                
-                <!--<div id = "roster-progress">
-                  <img src = "/wp-includes/js/thickbox/loadingAnimation.gif" />
-                  <p class='mstw-lm-admin-instructions'><?php //_e( 'Processing ...', 'team-rosters' )?></p>
-                </div> -->
-                
                 
                 <!-- PLAYERS import form -->
@@ -139 +134 @@
                 
                 <form class="add:the-list: validate" method="post" enctype="multipart/form-data">
-
+                    <?php wp_nonce_field( 'import-players', 'mstw-tr-nonce' ); ?>
                     <table class='form-table'>
                         <thead>
                             <tr><th colspan=2>
-                                <?php _e( 'Players', 'team-rosters' ) ?>
+                                <?php esc_html_e( 'Players', 'team-rosters' ) ?>
                                 <br/>
                                 <span class='description' style='font-weight: normal'><?php printf( 
                                         /* translators: %1s: HTML newline that should not be translated */
-                                        __( 'The importer will use the "player-teams" column in the CSV file to assign teams to a player if that column is not empty.%1$s Otherwise, the player will be assigned to the team selected in the "Select Team to Import" dropdown. %1$sOtherwise, the player will be imported but will not be assigned to a team.', 'team-rosters' ), '<br/>' ) ?></span>
+                                        esc_html__( 'The importer will use the "player-teams" column in the CSV file to assign teams to a player if that column is not empty.%1$s Otherwise, the player will be assigned to the team selected in the "Select Team to Import" dropdown. %1$sOtherwise, the player will be imported but will not be assigned to a team.', 'team-rosters' ), '<br/>' ) ?></span>
                             </th></tr>
                         </thead>    
@@ -153 +148 @@
                         <tbody>
                             <tr>  <!-- Team (to import) selection field -->
-                                <td><label for="csv_import_team"><?php _e( 'Select Team to Import:', 'team-rosters' ) ?></label></td>
+                                <td><label for="csv_import_team"><?php esc_html_e( 'Select Team to Import:', 'team-rosters' ) ?></label></td>
                                 <td><?php wp_dropdown_categories( $args ) ?>
                                 <br/>
-                                <span class='description' ><?php _e( 'This team will be used as the default if there is no entry for a player in the player_teams column.', 'team-rosters' ) ?></span>
+                                <span class='description' ><?php esc_html_e( 'This team will be used as the default if there is no entry for a player in the player_teams column.', 'team-rosters' ) ?></span>
                                 </td>
                             </tr>
                             <tr>
-                                <td><label for="csv_move_photos"><?php _e( 'Move Player Photos:', 'team-rosters') ?></label></td>
+                                <td><label for="csv_move_photos"><?php esc_html_e( 'Move Player Photos:', 'team-rosters') ?></label></td>
                                 <td><input name="csv_move_photos" id="csv_move_photos" type="checkbox" value="1" />
                                 <br/>
-                                <span class='description' ><?php _e( 'If checked, photo files will be imported from their current locations to the media library.If unchecked, photo files will remain in their current locations.', 'team-rosters' ) ?></span>
+                                <span class='description' ><?php esc_html_e( 'If checked, photo files will be imported from their current locations to the media library.If unchecked, photo files will remain in their current locations.', 'team-rosters' ) ?></span>
                                 </td>
                             </tr>
                             <tr> <!-- CSV file selection field -->
-                                <td><label for="csv_players_import"><?php _e( 'Players CSV file:', 'team-rosters') ?></label></td>
+                                <td><label for="csv_players_import"><?php esc_html_e( 'Players CSV file:', 'team-rosters') ?></label></td>
                                 <td><input name="csv_players_import" id="csv_players_import" type="file" value="" aria-required="true" />
                                 <br/>
-                                <span class='description' ><?php _e( 'Select the CSV players file to import.', 'team-rosters' ) ?></span>
+                                <span class='description' ><?php esc_html_e( 'Select the CSV players file to import.', 'team-rosters' ) ?></span>
                                 </td>
                             </tr>
@@ -189 +184 @@
         function print_messages() {
             //mstw_tr_log_msg( "MSTW_TR_ImporterPlugin.print_messages:" );
-            //mstw_tr_log_msg( $this -> log );
             
             if ( !empty( $this->log ) ) { ?>
@@ -198 +192 @@
                     <div class="error">
                         <?php foreach ($this->log['error'] as $error): ?>
-                            <p><?php echo $error; ?></p>
+                            <p><?php echo esc_html( $error ); ?></p>
                         <?php endforeach; ?>
                     </div>
@@ -206 +200 @@
                     <div class="updated fade">
                         <?php foreach ($this->log['notice'] as $notice): ?>
-                            <p><?php echo $notice; ?></p>
+                            <p><?php echo esc_html( $notice ); ?></p>
                         <?php endforeach; ?>
                     </div>
@@ -226 +220 @@
         function post( $options ) {
             //mstw_tr_log_msg( "MSTW_TR_ImporterPlugin.post:" );
-            //mstw_tr_log_msg( $options );
             
             if ( !$options ) {
@@ -235 +228 @@
             switch( $options['submit_value'] ) {
                 case __( 'Import Teams', 'team-rosters' ):
+                    // First check for nonce
+                    if ( isset( $_POST['mstw-tr-nonce'] ) ) {
+                        //wp_verify_nonce( sanitize_key( wp_unslash( $_POST['mstw-tr-nonce'] ) );
+                        $safeNonce = wp_esc_key( wp_unslash( $_POST['mstw-tr-nonce'] ) );
+                        if ( !wp_verify_nonce( $safeNonce, 'import-teams' ) ) {
+                            mstw_tr_add_admin_notice( 'error', __( 'Problem encountered with CSV file. Exiting.', 'team-rosters' ) );
+                            mstw_log_msg( 'MSTW_TR_CSV_IMPORT_CLASS.post: Problem encountered loading CSV file; bad nonce. Exiting.' );
+                            return;
+                        }   
+                    } else {  //nonce non found
+                        mstw_tr_add_admin_notice( 'error', __( 'Problem encountered with CSV file. Exiting.', 'team-rosters' ) );
+                        mstw_log_msg( 'MSTW_TR_CSV_IMPORT_CLASS.post: Problem encountered updating roster; nonce missing. Exiting.' );
+                        return; 
+                    }
+                    
+                    // Nonce ok. Proceed with progessing.
                     $file_id = 'csv_teams_import';
                     //$msg_str is only used in summary messages
@@ -241 +250 @@
                     
                 case __( 'Import Players', 'team-rosters' ):
+                    // First check for nonce
+                    if ( isset( $_POST['mstw-tr-nonce'] ) ) {
+                        //wp_verify_nonce( sanitize_key( wp_unslash( $_POST['mstw-tr-nonce'] ) );
+                        $safeNonce = wp_esc_key( wp_unslash( $_POST['mstw-tr-nonce'] ) );
+                        
+                        if ( !wp_verify_nonce( $safeNonce, 'import-teams' ) ) {
+                            mstw_tr_add_admin_notice( 'error', __( 'Problem encountered with CSV file. Exiting.', 'team-rosters' ) );
+                            mstw_log_msg( 'MSTW_TR_CSV_IMPORT_CLASS.post: Problem encountered loading CSV file; bad nonce. Exiting.' );
+                            return;
+                        }
+                        
+                    } else {  //nonce non found
+                        mstw_tr_add_admin_notice( 'error', __( 'Problem encountered with CSV file. Exiting.', 'team-rosters' ) );
+                        mstw_log_msg( 'MSTW_TR_CSV_IMPORT_CLASS.post: Problem encountered updating roster; nonce missing. Exiting.' );
+                        return;
+                        
+                    }
+                    
                     $file_id = 'csv_players_import';
                     //$msg_str is only used in summary messages
@@ -314 +341 @@
             }
 
-            if (file_exists($file)) {
-                @unlink($file);
+            if ( file_exists($file) ) {
+                $deleteFile = wp_delete_file( $file );
+                if ( !$deleteFile ) {
+                    mstw_log_msg( "CSV Import: Error deleting file $file" );
+                }
             }
 
@@ -329 +359 @@
             
             //always add notice for records imported and elapsed time
-            //$format = _n( 'Imported %1$s %2$s in %4$.2f seconds.', 'Imported %1$s %3$s in %4$.2f seconds.', $imported, 'team-rosters' );
-            //$admin_notice = sprintf( $format, $imported, $msg_str[0], $msg_str[1], $exec_time );
             $admin_notice = sprintf(
                 /* translators: %1$s/%2$s 'record' or 'records' processed */
@@ -592 +620 @@
             
             // Split the $url into two pars with the wp-content directory as the separator
-            $parsed_url = explode( parse_url( WP_CONTENT_URL, PHP_URL_HOST ), $url );
+            $parsed_url = explode( wp_parse_url( WP_CONTENT_URL, PHP_URL_HOST ), $url );
             
             // Get the host of the current site and the host of the $url, ignoring www
-            $this_host = str_ireplace( 'www.', '', parse_url( home_url( ), PHP_URL_HOST ) );
-            $file_host = str_ireplace( 'www.', '', parse_url( $url, PHP_URL_HOST ) );
+            $this_host = str_ireplace( 'www.', '', wp_parse_url( home_url( ), PHP_URL_HOST ) );
+            $file_host = str_ireplace( 'www.', '', wp_parse_url( $url, PHP_URL_HOST ) );
 
             // Return nothing if there aren't any $url parts or if the current host and $url host do not match
@@ -606 +634 @@
                 // Example: /uploads/2013/05/test-image.jpg
                 global $wpdb;
-
-                $attachment = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM {$wpdb->prefix}posts WHERE guid RLIKE %s;", $parsed_url[1] ) );
+                //
+                // I have no idea how to address the PCP warnings about direct database calls here
+                // Is there a better "wordpress" way to accomplish this?
+                //
+                $attachment = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM {$wpdb->prefix} posts WHERE guid RLIKE %s;", $parsed_url[1] ) );
         
                 // Returns -1 if no attachment is found
@@ -724 +755 @@
                 if ($bytes == pack('CCC', 0xef, 0xbb, 0xbf)) {
                     $this->log['notice'][] = 'Getting rid of byte order mark...';
-                    fclose($res);
+                    fclose( $res );
 
                     $contents = file_get_contents( $fname );
@@ -788 +819 @@
             //mstw_tr_log_msg( "MSTW_TR_ImporterPlugin.add_help:" );
             ?>
-            <p><?php _e( 'This screen allows the import of teams and players from files in CSV format. Sample file formats are available in the Users Manual (link below).', 'team-rosters' ) ?></p>
-            
-            <p><?php _e( 'To import teams, simply choose the CSV file and click "Import Teams".', 'team-rosters' ) ?></p>
-            
-            <p><?php _e( 'To import players, first select the CSV file containing the players, then you have some options:.', 'team-rosters' ) ?></p>
+            <p><?php esc_html_e( 'This screen allows the import of teams and players from files in CSV format. Sample file formats are available in the Users Manual (link below).', 'team-rosters' ) ?></p>
+            
+            <p><?php esc_html_e( 'To import teams, simply choose the CSV file and click "Import Teams".', 'team-rosters' ) ?></p>
+            
+            <p><?php esc_html_e( 'To import players, first select the CSV file containing the players, then you have some options:.', 'team-rosters' ) ?></p>
             
             <ul>
-            <li><?php _e( 'Select an existing team. Players will be addeded to that team.', 'team-rosters' ) ?></li>
-            <li><?php _e( 'Don\'t elect an existing team, and provide the team(s) in the player_teams column of the CSV file. This allows players to be added to multiple teams (or no team) using one CSV file.', 'team-rosters' ) ?></li>
-            <li><?php _e( 'Choose whether you want the player photos (provided in the CSV file) to be moved to the Media Library. If you are moving teams from a different site, you probably want to do this. If you are moving players on the same site, you probably do not want to do this since it will create duplicate image files in the Media Library.', 'team-rosters' ) ?></li>
+            <li><?php esc_html_e( 'Select an existing team. Players will be addeded to that team.', 'team-rosters' ) ?></li>
+            <li><?php esc_html_e( 'Don\'t elect an existing team, and provide the team(s) in the player_teams column of the CSV file. This allows players to be added to multiple teams (or no team) using one CSV file.', 'team-rosters' ) ?></li>
+            <li><?php esc_html_e( 'Choose whether you want the player photos (provided in the CSV file) to be moved to the Media Library. If you are moving teams from a different site, you probably want to do this. If you are moving players on the same site, you probably do not want to do this since it will create duplicate image files in the Media Library.', 'team-rosters' ) ?></li>
             </ul>
             
-            <p><?php _e( 'NOTE THAT IT CAN TAKE A SIGNFICANT AMOUNT OF TIME TO IMPORT PLAYERS. In fact, if the CSV file is too large, WordPress process can time out at the server. If so, simply divide the players up across two or more CSV files.', 'team-rosters' ) ?></p>
-            
-            <p><a href="http://shoalsummitsolutions.com/loading-rosters-from-csv-files-v-4-0/" target="_blank"><?php _e( 'See the plugin Users Manual on shoalsummitsolutions.com', 'team-rosters' ) ?></a></p>
+            <p><?php esc_html_e( 'NOTE THAT IT CAN TAKE A SIGNFICANT AMOUNT OF TIME TO IMPORT PLAYERS. In fact, if the CSV file is too large, WordPress process can time out at the server. If so, simply divide the players up across two or more CSV files.', 'team-rosters' ) ?></p>
+            
+            <p><a href="http://shoalsummitsolutions.com/loading-rosters-from-csv-files-v-4-0/" target="_blank"><?php esc_html_e( 'See the plugin Users Manual on shoalsummitsolutions.com', 'team-rosters' ) ?></a></p>
             
             <?php

team-rosters/trunk/includes/mstw-tr-data-fields-columns-settings.php

@@ -27 +27 @@
     function mstw_tr_data_fields_setup( ) {
         //mstw_log_msg( 'mstw_tr_data_fields_setup:' );
-        
         mstw_tr_data_fields_left_setup( );
         mstw_tr_data_fields_center_setup( );
         mstw_tr_data_fields_right_setup( );
-        
     }
     
@@ -43 +41 @@
         $display_on_page   = 'mstw-tr-data-fields-labels';
         $page_section      = 'mstw-tr-fields-labels';
-        $instruct_callback = null; //'mstw_tr_data_fields_inst';
+        $instruct_callback = null;
         $section_title     = __( 'Data Fields Labels', 'team-rosters' );
         
@@ -222 +220 @@
         $display_on_page   = 'mstw-tr-fields-show-hide';
         $page_section      = 'mstw-tr-fields-show-hide';
-        $instruct_callback = null; //'mstw_tr_data_fields_inst';
+        $instruct_callback = null;
         $section_title     = __( 'Visibility', 'team-rosters' );
         
@@ -400 +398 @@
         $display_on_page   = 'mstw-tr-fields-order';
         $page_section      = 'mstw-tr-fields-order';
-        $instruct_callback = null; //'mstw_tr_data_fields_inst';
+        $instruct_callback = null;
         $section_title     = __( 'Order', 'team-rosters' );
         
@@ -568 +566 @@
         
     } //End: mstw_tr_data_fields_right_setup()
-
-    
-    
-//----------------------------------------------------------------- 
-//  Colors table section instructions   
-//  
-    if( !function_exists( 'mstw_tr_data_fields_inst' ) ) {
-        function mstw_tr_data_fields_inst( ) {
-            echo '<p>' . __( 'Field Labels. ', 'team-rosters' ) .'</p>';
-        } //End: mstw_tr_data_fields_inst()
-    }

team-rosters/trunk/includes/mstw-tr-player-cpt-admin.php

@@ -36 +36 @@
             do_meta_boxes(get_current_screen( ), 'advanced', $post);
             unset( $wp_meta_boxes[get_post_type($post)]['advanced'] );
-            echo "<p class='player-bio-admin-head'>" . __( 'Player Bio:', 'team-rosters' ) . "</p>";
+            ?>
+            <p class='player-bio-admin-head'><?php esc_html_e( 'Player Bio:', 'team-rosters' ) ?></p>
+            <?php
         }
     }  //End: mstw_tr_build_player_screen
@@ -334 +336 @@
             if ( $_POST['post_type'] == 'mstw_tr_player' ) {
                 update_post_meta( $post_id, 'player_first_name', 
-                        strip_tags( $_POST['player_first_name'] ) );
+                        wp_strip_all_tags( $_POST['player_first_name'] ) );
                         
                 update_post_meta( $post_id, 'player_last_name', 
-                        strip_tags( $_POST['player_last_name'] ) );
+                        wp_strip_all_tags( $_POST['player_last_name'] ) );
                         
                 update_post_meta( $post_id, 'player_number', 
-                        strip_tags( $_POST['player_number'] ) );
+                        wp_strip_all_tags( $_POST['player_number'] ) );
                         
                 update_post_meta( $post_id, 'player_position', 
-                        strip_tags( $_POST['player_position'] ) );
+                        wp_strip_all_tags( $_POST['player_position'] ) );
                         
                 update_post_meta( $post_id, 'player_position_long', 
-                        strip_tags( $_POST['player_position_long'] ) ); 
+                        wp_strip_all_tags( $_POST['player_position_long'] ) );  
                         
                 update_post_meta( $post_id, 'player_height', 
                         //$_POST['player_height'] );
-                        strip_tags( $_POST['player_height'] ) );
+                        wp_strip_all_tags( $_POST['player_height'] ) );
                         
                 update_post_meta( $post_id, 'player_weight',  
-                        strip_tags( $_POST['player_weight'] ) );
+                        wp_strip_all_tags( $_POST['player_weight'] ) );
                         
                 update_post_meta( $post_id, 'player_year',  
-                        strip_tags( $_POST['player_year'] ) );
+                        wp_strip_all_tags( $_POST['player_year'] ) );
                         
                 update_post_meta( $post_id, 'player_year_long',  
-                        strip_tags( $_POST['player_year_long'] ) );
+                        wp_strip_all_tags( $_POST['player_year_long'] ) );
                         
                 update_post_meta( $post_id, 'player_experience',
-                        strip_tags( $_POST['player_experience'] ) );
+                        wp_strip_all_tags( $_POST['player_experience'] ) );
                 
                 update_post_meta( $post_id, 'player_age', 
-                        strip_tags( $_POST['player_age'] ) );
+                        wp_strip_all_tags( $_POST['player_age'] ) );
                         
                 update_post_meta( $post_id, 'player_home_town',
-                        strip_tags( $_POST['player_home_town'] ) );
+                        wp_strip_all_tags( $_POST['player_home_town'] ) );
                         
                 update_post_meta( $post_id, 'player_last_school',
-                        strip_tags( $_POST['player_last_school'] ) );
+                        wp_strip_all_tags( $_POST['player_last_school'] ) );
                         
                 update_post_meta( $post_id, 'player_country',
-                        strip_tags( $_POST['player_country'] ) );
+                        wp_strip_all_tags( $_POST['player_country'] ) );
                         
                 update_post_meta( $post_id, 'player_bats',
-                        strip_tags( $_POST['player_bats'] ) );
+                        wp_strip_all_tags( $_POST['player_bats'] ) );
                         
                 update_post_meta( $post_id, 'player_throws',
-                        strip_tags( $_POST['player_throws'] ) );
+                        wp_strip_all_tags( $_POST['player_throws'] ) );
                         
                 update_post_meta( $post_id, 'player_other',
-                        strip_tags( $_POST['player_other'] ) );
+                        wp_strip_all_tags( $_POST['player_other'] ) );
                         
             } //End: if ( $_POST['post_type'] == 'mstw_tr_player' )
@@ -442 +444 @@
                         $teams[$key] =  '<a href="' . $edit_link . '">' . $team->name . '</a>';
                     }
-                        echo implode( ' | ', $teams );
+                        echo wp_kses_post( implode( ' | ', $teams ) );
                 }
                 break;
@@ -448 +450 @@
             case 'first-name' :
                 //printf( '%s', get_post_meta( $post_id, 'player_first_name', true ) );
-                echo( get_post_meta( $post_id, 'player_first_name', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_first_name', true ) );
                 break;
                 
             case 'last-name' :
-                printf( '%s', get_post_meta( $post_id, 'player_last_name', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_last_name', true ) );
                 break;
             
             case 'number' :
-                printf( '%s', get_post_meta( $post_id, 'player_number', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_number', true ) );
                 break;
                     
             case 'position' :
-                printf( '%s', get_post_meta( $post_id, 'player_position', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_position', true ) );
                 break;
                 
             case 'position_long' :
-                printf( '%s', get_post_meta( $post_id, 'player_position_long', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_position_long', true ) );
                 break;
                 
             case 'height' :
-                printf( '%s', get_post_meta( $post_id, 'player_height', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_height', true ) );
                 break;
                 
             case 'weight' :
-                printf( '%s', get_post_meta( $post_id, 'player_weight', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_weight', true ) );
                 break;
 
             case 'year' :
-                printf( '%s', get_post_meta( $post_id, 'player_year', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_year', true ) );
                 break;
                 
             case 'experience' :
-                printf( '%s', get_post_meta( $post_id, 'player_experience', true ) );
+                echo esc_html( get_post_meta( $post_id, 'player_experience', true ) );
                 break;
                 
@@ -533 +535 @@
                     
                 //output the html for the drop down menu
-                echo "<select name='$tax_slug' id='$tax_slug' class='postform'>";
-                echo "<option value=''>" . __( 'Show All Teams', 'team-rosters') . "</option>";
+                ?>
+                <select name='<?php echo esc_html( $tax_slug ) ?>' id='<?php echo esc_html( $tax_slug ) ?>' class='<?php echo esc_html( 'postform' ) ?>'>" );
+                <option value=""> <?php esc_html_e( 'Show All Teams', 'team-rosters') ?> </option>
+                <?php
                 
                 //output each select option line
@@ -545 +549 @@
                         $selected = '';
                     }
-                    echo '<option value=' . $term->slug . $selected . '>' . $term->name . ' (' . $term->count . ')</option>';
+                    ?>
+                    <option value='<?php echo esc_html( $term->slug . $selected ) ?>' > <?php echo esc_html( $term->name . '(' . $term->count . ')' ) ?> </option>
+        <?php 
                 }
-                echo '</select>';
+                ?></select><?php
             }   
         }
@@ -652 +658 @@
             case 'players-screen-help':
                 ?>
-                <p><?php _e( 'This screen provides a list of selected data fields for all players. The list may be filtered to show only one team using the Teams filter.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'To add a player, click the "Add New Player" button at the top of the screen. Players may also be added using the "Add Players to Roster" screen or the "CSV Import" screen.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'To edit a player, roll over the "Name" field and selecte "Edit".', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'To delete a player, roll over the "Name" field and selecte "Trash". Note that the player is moved to the trash BUT NOT REMOVED FROM THE DB. To delete the player from the DB, or to restore the player, click on the "Trash" link and delete selected players permanently or empty the trash.', 'team-rosters' ) ?></p>
-                
-                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-players/" target="_blank"><?php _e( 'See the Data Entry - Players man page for more details.', 'team-rosters' ) ?></a></p>
+                <p><?php esc_html_e( 'This screen provides a list of selected data fields for all players. The list may be filtered to show only one team using the Teams filter.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'To add a player, click the "Add New Player" button at the top of the screen. Players may also be added using the "Add Players to Roster" screen or the "CSV Import" screen.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'To edit a player, roll over the "Name" field and selecte "Edit".', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'To delete a player, roll over the "Name" field and selecte "Trash". Note that the player is moved to the trash BUT NOT REMOVED FROM THE DB. To delete the player from the DB, or to restore the player, click on the "Trash" link and delete selected players permanently or empty the trash.', 'team-rosters' ) ?></p>
+                
+                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-players/" target="_blank"><?php esc_html_e( 'See the Data Entry - Players man page for more details.', 'team-rosters' ) ?></a></p>
                 <?php               
                 break;
@@ -666 +672 @@
             case 'edit-player-help':
                 ?>
-                <p><?php _e( 'Title. The player title should always be entered. However, it does not appear anywhere on the front end.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'First Name and Last Name. At least one of these fields should be entered; otherwise, no name will appear on the front end.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'Use the Manage Teams metabox to add a player to one or more teams; otherwise, the player will not appear on the front end.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'Use the Manage Teams metabox to add a player to one or more teams; otherwise, the player will not appear on the front end.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'Use the Player Photo metabox to add a player photo from the Media Gallery.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'Use the Player Bio metabox to add a player profile/bio. Note that you can add HTML to this field to add photos, tables, links, etc.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'Delete a player by clicking the "Move to Trash" link in the Publish metabox. See the instructions on deleting players above.', 'team-rosters' ) ?></p>
-
-                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-players/" target="_blank"><?php _e( 'See the Data Entry - Players man page for more details.', 'team-rosters' ) ?></a></p>
+                <p><?php esc_html_e( 'Title. The player title should always be entered. However, it does not appear anywhere on the front end.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'First Name and Last Name. At least one of these fields should be entered; otherwise, no name will appear on the front end.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'Use the Manage Teams metabox to add a player to one or more teams; otherwise, the player will not appear on the front end.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'Use the Manage Teams metabox to add a player to one or more teams; otherwise, the player will not appear on the front end.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'Use the Player Photo metabox to add a player photo from the Media Gallery.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'Use the Player Bio metabox to add a player profile/bio. Note that you can add HTML to this field to add photos, tables, links, etc.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'Delete a player by clicking the "Move to Trash" link in the Publish metabox. See the instructions on deleting players above.', 'team-rosters' ) ?></p>
+
+                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-players/" target="_blank"><?php esc_html_e( 'See the Data Entry - Players man page for more details.', 'team-rosters' ) ?></a></p>
                 <?php               
                 break;
@@ -700 +706 @@
             case 'update-games-overview':
                 ?>
-                <p><?php _e( 'This screen allows updating the status of all games in a league and season.', 'team-rosters' ) ?></p>
-                <p><?php _e( 'Select a LEAGUE and SEASON then press the Update Games Table button.', 'team-rosters' ) ?></p>
-                <p><?php _e( 'Enter the status in information for each game.', 'team-rosters' ) ?></p>
-                <p><a href="http://shoalsummitsolutions.com/lm-update-games/" target="_blank"><?php _e( 'See the Update Games man page for more details.', 'team-rosters' ) ?></a></p>
+                <p><?php esc_html_e( 'This screen allows updating the status of all games in a league and season.', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Select a LEAGUE and SEASON then press the Update Games Table button.', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Enter the status in information for each game.', 'team-rosters' ) ?></p>
+                <p><a href="http://shoalsummitsolutions.com/lm-update-games/" target="_blank"><?php esc_html_e( 'See the Update Games man page for more details.', 'team-rosters' ) ?></a></p>
                 <?php               
                 break;

team-rosters/trunk/includes/mstw-tr-player-profiles-galleries-settings.php

@@ -185 +185 @@
     if( !function_exists( 'mstw_tr_bio_gallery_inst' ) ) {
         function mstw_tr_bio_gallery_inst( ) {
-            echo '<p>' . __( 'Unless otherwise noted, these settings will apply to both the Single Player Profile and Team Gallery pages. ', 'team-rosters' ) .'</p>';
+            echo '<p>', esc_html__( 'Unless otherwise noted, these settings will apply to both the Single Player Profile and Team Gallery pages. ', 'team-rosters' ), '</p>';
         } //End: mstw_tr_bio_gallery_inst()
     }

team-rosters/trunk/includes/mstw-tr-roster-color-settings.php

@@ -264 +264 @@
         //mstw_log_msg( 'mstw_tr_table_color_inst:' );
         
-        echo '<p>' . __( 'These settings will apply to ALL the roster tables [mstw-roster-table], overriding the default styles. However they can be overridden by more specific stylesheet rules for specific teams. See the plugin documentation for more details.', 'team-rosters' ) . '</p>';
+        echo '<p>', esc_html__( 'These settings will apply to ALL the roster tables [mstw-roster-table], overriding the default styles. However they can be overridden by more specific stylesheet rules for specific teams. See the plugin documentation for more details.', 'team-rosters' ), '</p>';
     
     } //End: mstw_tr_table_color_inst()
@@ -275 +275 @@
         //mstw_log_msg( 'mstw_tr_table2_color_inst:' );
 
-        echo '<p>' . __( 'These settings will apply to ALL the table 2 roster tables [mstw-tr-roster-2], overriding the default styles. However they can be overridden by more specific stylesheet rules for specific teams. See the plugin documentation for more details. NOTE: this shortcode does not support team colors and does not have borders.', 'team-rosters' ) . '</p>';
+        echo '<p>', esc_html__( 'These settings will apply to ALL the table 2 roster tables [mstw-tr-roster-2], overriding the default styles. However they can be overridden by more specific stylesheet rules for specific teams. See the plugin documentation for more details. NOTE: this shortcode does not support team colors and does not have borders.', 'team-rosters' ), '</p>';
     
     } //End: mstw_tr_table2_color_inst()

team-rosters/trunk/includes/mstw-tr-roster-table-settings.php

@@ -300 +300 @@
         //mstw_log_msg( 'mstw_tr_roster_table_inst:' );
     
-        echo '<p>' . __( 'These settings will apply to all the [mstw-tr-roster] shortcode tables, overriding the settings defaults. In most cases, these settings can be overridden by shortcode arguments.', 'team-rosters' ) .'</p>';
+        echo '<p>', esc_html__( 'These settings will apply to all the [mstw-tr-roster] shortcode tables, overriding the settings defaults. In most cases, these settings can be overridden by shortcode arguments.', 'team-rosters' ),'</p>';
         
     } //End: mstw_tr_roster_table_inst()
@@ -307 +307 @@
         //mstw_log_msg( 'mstw_tr_roster_table_2_inst:' );   
     
-        echo '<p>' . __( 'These settings will apply to all the [mstw-tr-roster-2] shortcode tables, overriding the settings defaults. In most cases, these settings can be overridden by shortcode arguments.', 'team-rosters' ) .'</p>';
+        echo '<p>', esc_html__( 'These settings will apply to all the [mstw-tr-roster-2] shortcode tables, overriding the settings defaults. In most cases, these settings can be overridden by shortcode arguments.', 'team-rosters' ), '</p>';
         
     } //End: mstw_tr_roster_table_2_inst()

team-rosters/trunk/includes/mstw-tr-roster-tables-class.php

@@ -2 +2 @@
  /*---------------------------------------------------------------------------
  *  mstw-tr-roster-tables-class.php
- *  Contains the classes for the MSTW League Manager Sport schedule table
- *  shortcodes [mstw_lm_sport_schedule] 
+ *  Contains the classes for the MSTW Roster Tables (2)
+ *  shortcodes [mstw_tr_roster_2] 
  *
  *  MSTW Wordpress Plugins (http://shoalsummitsolutions.com)
@@ -60 +60 @@
                 
                 // tableID allows multiple tables on the same page
-                $tableID = $this -> safeGet( 'table_id', $args, mt_rand( 1000, 9999 ) );
+                $tableID = $this -> safeGet( 'table_id', $args, wp_rand( 1000, 9999 ) );
                 
                 // merge the shortcode arguments and the settings/options
@@ -68 +68 @@
                     
                     ?>
-                    <div class='mstw-tr-roster-table-container mstw-tr-roster-table-container-<?php echo $teamSlug ?>' id='mstw-tr-roster-table-container-<?php echo $tableID ?>'>
-                    
-    
+                    <div class='mstw-tr-roster-table-container mstw-tr-roster-table-container-<?php echo esc_html( $teamSlug )?>' id='mstw-tr-roster-table-container-<?php echo esc_html( $tableID ) ?>'>   
                             <?php $noControls = $this -> safeGet( 'no_controls', $args, null );
                             //mstw_log_msg( "noControls= $noControls" );
@@ -77 +75 @@
                                 <!--<div class='mstw-tr-roster-title-controls mstw-tr-roster-title-controls-<?php //echo $teamSlug ?>'>-->
                                     <?php //echo $this -> build_roster_title( $teamSlug, $attribs ); ?>
-                                    <div class='roster-sort-controls roster-sort-controls-<?php echo $teamSlug ?> MSTW-flex-row'>
-                                        <?php echo $this -> build_roster_sort_controls( $teamSlug, $attribs, $args, $argsStr, $tableID ); ?>
+                                    <div class='roster-sort-controls roster-sort-controls-<?php echo esc_html( $teamSlug ) ?> MSTW-flex-row'>
+                                        <?php 
+                                        // build_roster_sort_controls buffers the output so I am escaping earlier then here
+                                        $controls_escaped = $this -> build_roster_sort_controls( $teamSlug, $attribs, $args, $argsStr, $tableID );
+                                        echo $controls_escaped;
+                                        //echo $this -> build_roster_sort_controls( $teamSlug, $attribs, $args, $argsStr, $tableID ); 
+                                        ?>
                                     </div>
                                 <!-- </div> .mstw-tr-roster-title-controls -->
                             <?php
                             } ?>
-                        
-                        
-                        <div class= 'mstw-tr-roster-players mstw-tr-roster-players-<?php echo $teamSlug ?>' id='mstw-tr-roster-players-<?php echo $tableID ?>'>
+
+                        <div class= 'mstw-tr-roster-players mstw-tr-roster-players-<?php echo esc_html( $teamSlug )?>' id='mstw-tr-roster-players-<?php echo esc_html( $tableID ) ?>'>
                         <?php
-                            
                             // get the players
                             $players = mstw_tr_build_player_list( $teamSlug, 'objects', $attribs );
                         
                             // build the html
-                            echo $this -> buildTableHTML( $teamSlug, $players, $attribs, $shortcode, $tableID );
+                            $table_escaped = $this -> buildTableHTML( $teamSlug, $players, $attribs, $shortcode, $tableID );
+                            // I can't seem to escape late because I'm buffering the html then I output it
+                            echo $table_escaped;
                             ?>
                         </div>
@@ -123 +126 @@
         
         ?>
-        <ul class='mstw-tr-roster-player-list mstw-tr-roster-player-list-<?php echo $teamSlug ?> mstw-tr-roster-player-list-<?php echo $tableID ?>'>
+        <ul class='mstw-tr-roster-player-list mstw-tr-roster-player-list-<?php echo esc_html( $teamSlug ) ?> mstw-tr-roster-player-list-<?php echo esc_html( $tableID ) ?>'>
             
             <!-- Why is this needed ?? -->
             <?php $team_class = 'mstw-tr-table_' . $teamSlug; ?>
-            <div style='display:none' id='table-id'><?php echo $team_class ?></div>
+            <div style='display:none' id='table-id'><?php echo esc_html( $team_class )?></div>
         
             <?php
@@ -141 +144 @@
                 ?>
                 <li class='mstw-tr-roster-player'>
-                    <div class='mstw-tr-roster-player-container mstw-tr-roster-player-container-<?php echo $teamSlug ?> MSTW-flex-row'>
+                    <div class='mstw-tr-roster-player-container mstw-tr-roster-player-container-<?php echo esc_html( $teamSlug ) ?> MSTW-flex-row'>
                 
                     <?php //PRIMARY INFO COLUMN ?>
@@ -149 +152 @@
                             // PHOTO COLUMN
                             // 'profile' prevents link
-                            echo $this -> buildPlayerPhoto( $player, $teamSlug, $attribs );
+                            echo wp_kses_post( $this -> buildPlayerPhoto( $player, $teamSlug, $attribs ) );
                         ?>
                         </div>
@@ -158 +161 @@
                         
                             <div class='mstw-tr-roster-player-position MSTW-uppercase'>
-                                <?php echo $this -> get_player_position( $player ); ?>
+                                <?php echo esc_html( $this -> get_player_position( $player ) ); ?>
                             </div>
                             
                             <div class='mstw-tr-roster-player-number-name MSTW-uppercase'>
                                 <?php
-                                $playerName = $this -> buildPlayerName( $player, $teamSlug, $attribs, 0 );
+                                $playerNameLink_escaped = $this -> buildPlayerName( $player, $teamSlug, $attribs, 1 );
                                 $playerNumber = get_post_meta( $player->ID, 'player_number', true );
                                 ?>
-                                <span class='jersey'><?php echo $playerNumber ?></span><h3 class='player-name MSTW-uppercase'><?php echo $playerName ?> </h3>
+                                <span class='jersey'><?php echo esc_html( $playerNumber ) ?></span>
+                                <h3 class='player-name MSTW-uppercase'><?php echo $playerNameLink_escaped ?> </h3>
                             </div>
                             
@@ -175 +179 @@
                     <div class='mstw-tr-roster-player-other'>
                         <div class='mstw-tr-roster-player-other-data'>                          
-                            <span class='mstw-tr-player-data-1'><?php echo $dataField1 ?></span>
-                            <span class='mstw-tr-player-data-2'><?php echo $dataField2 ?></span>
-                            <span class='mstw-tr-player-data-3'><?php echo $dataField3 ?></span>                        </div>
+                            <span class='mstw-tr-player-data-1'><?php echo esc_html( $dataField1 ) ?></span>
+                            <span class='mstw-tr-player-data-2'><?php echo esc_html( $dataField2 ) ?></span>
+                            <span class='mstw-tr-player-data-3'><?php echo esc_html( $dataField3 ) ?></span>                        </div>
                         <div class='mstw-tr-roster-player-bio'>
-                            <?php $playerLink = '<a href="' .  get_permalink( $player->ID ) . '?roster_type=' . $this -> safeGet( 'roster_type', $attribs, 'custom' ) . '&' . 'team=' . $teamSlug . '"'; ?>
-                            <?php echo $playerLink ?>>> FULL BIO </a>  <!-- &#9654; -->
+                            <?php $playerLink = get_permalink( $player->ID ) . '?roster_type=' . $this -> safeGet( 'roster_type', $attribs, 'custom' ) . '&' . 'team=' . $teamSlug . '"'; ?>
+                            <a href="<?php echo esc_html( $playerLink ) ?>"> FULL BIO</a>
+                            
                         </div>
                     </div> <?php // .mstw=tr=roster-player-other-data ?>
@@ -235 +240 @@
             $last_name = get_post_meta($player->ID, 'player_last_name', true );
             $alt = "$first_name $last_name";
-            $photo_html = "<img src='$photo_file_url' alt='$alt' />";
+            $attr = "alt=$alt";
+
+            $photo_html = wp_get_attachment_image( get_post_thumbnail_id( $player->ID ),                                                                                         'thumbnail', 
+                                                                                         false, 
+                                                                                         $attr 
+                                                                                         );
             
         } else {
@@ -272 +282 @@
     //      $player - player CPT object (mstw_tr_player)
     //      $options - shortcode args and team roster settings merged
-    //      $addProfileLink - include a like to the player profile
+    //      $addProfileLink - include a link to the player profile
     //  RETURNS
     //      $player_name in the specified format
@@ -298 +308 @@
         } 
         
-        $player_html = $player_name;
-        
-        $paramStr = '?roster_type=' . $options['roster_type'];
-        if ( $teamSlug ) {
-            $paramStr .= "&team=$teamSlug";
+        //$player_html = $player_name;
+        
+        if ( $addProfileLink ) {
+            $paramStr = '?roster_type=' . $options['roster_type'];
+            if ( $teamSlug ) {
+                $paramStr .= "&team=$teamSlug";
+            }
+            $ret_html = '<a href="' .  esc_url( get_permalink( $player->ID ) ) . esc_html( $paramStr ) . '" ';
+            $ret_html .= '>' . esc_html( $player_name ) . '</a>';
+            
+            //$ret_html = get_permalink( $player->ID ) . $paramStr . '" ';
+            //$ret_html .= '>' . $player_html;
         }
-        
-        $ret_html = '<a href="' .  get_permalink( $player->ID ) . $paramStr . '" ';
-        $ret_html .= '>' . $player_html . '</a>';
-        
-        //if( $addProfileLink ) {
-            //if ( $options['links_to_profiles'] ) {
-                //$player_html = '<a href="' .  get_permalink( $player->ID ) . '?roster_type=' . $options['roster_type'] . '" ';
-                //$player_html .= '>' . $player_name . '</a>';
-            //}
-        //}
-    
-        //return $player_html;
+        else {
+            $ret_html = $player_name;
+            
+        }
+        
         return $ret_html;
         
-    } //End: buildPlayerName()
+    } //End: buildPlayerName( )
 
     //-----------------------------------------------------------------------------
@@ -484 +494 @@
                 //
                 // the team must be provided in the shortcode args; 
-                //
-                /*
-                $team = $this -> safeGet( 'team', $atts, null );
-                if ( null === $team ) {
-                    return '<h3>No team specified in shortcode.</h3>';
-                }
-                */
-                
-                //
                 // the roster type comes from the shortcode args; defaults to 'custom'
                 //
@@ -530 +531 @@
         
     //--------------------------------------------------------------------------------------
-    // build_roster_sort_control - Returns the HTML for a team roster sort controls
+    // build_roster_sort_controls - Returns the HTML for a team roster sort controls
     //
     //  ARGUMENTS: 
@@ -558 +559 @@
             
         ob_start( ); 
-            echo $this -> build_roster_title( $team, $attribs );
+            echo esc_html( $this -> build_roster_title( $team, $attribs ) );
             ?>
             <form id='tr-sort-controls' class='MSTW-flex-row' >
-                <input type='hidden' id='roster-team' value='<?php echo $team ?>'/>
-                <input type="hidden" id='tableID' value="<?php echo $tableID ?>" />
-                <input type="hidden" id='args_<?php echo $tableID ?>' value="<?php echo $argsStr ?>" />
+                <input type='hidden' id='roster-team' value='<?php echo esc_html( $team ) ?>'/>
+                <input type="hidden" id='tableID' value="<?php echo esc_html( $tableID ) ?>" />
+                <input type="hidden" id='args_<?php echo esc_html( $tableID ) ?>' value="<?php echo esc_html( $argsStr )?>" />
                 
                 <div class='tr-sort-menu'> 
-                    <select name='tr-sort-menu' id='tr-sort-menu_<?php echo $tableID ?>'>
+                    <select name='tr-sort-menu' id='tr-sort-menu_<?php echo esc_html( $tableID ) ?>'>
                         <?php 
                         foreach( $choices as $slug => $label ) {
                             $selected = ( $currentSortOrder == $slug ) ? 'selected="selected"' : '';
                             ?>
-                            <option value=<?php echo "$slug $selected" ?>> <?php echo $label ?></option>
+                            <option value=<?php echo esc_html( "$slug $selected" ) ?>> <?php echo esc_html( $label ) ?></option>
                             <?php
                         }
@@ -579 +580 @@
                 
                 <div class='tr-sort-button'>
-                    <input type='button' class='secondary tr-sort-submit' id='<?php echo $tableID ?>' name='<?php echo $team ?>' value=<?php _e( 'Sort Roster', 'team-rosters' ) ?>/>
+                    <input type='button' class='secondary tr-sort-submit' id='<?php echo esc_html( $tableID ) ?>' name='<?php echo esc_html( $team )?>' value=<?php esc_html_e( 'Sort Roster', 'team-rosters' ) ?>/>
                 </div> 
                 

team-rosters/trunk/includes/mstw-tr-settings.php

@@ -48 +48 @@
         <!-- The settings screen main form; includes all tabs -->
         <div class="wrap">
-            <h2><?php echo __( 'Team Rosters Plugin Settings', 'team-rosters') ?></h2>
+            <h2><?php esc_html_e( 'Team Rosters Plugin Settings', 'team-rosters') ?></h2>
             
             <?php 
@@ -136 +136 @@
                 <tr>
                     <td>
-                        <input name="Submit" type="submit" class="button-primary" value="<?php _e( 'Save Changes', 'team-rosters' ) ?>" />
-                    
-                        <input type="submit" class="button-secondary" id="reset_btn" name="<?php echo $options_name ?>" onclick="tr_confirm_reset_defaults()" value="<?php _e( 'Reset Defaults', 'team-rosters' ) ?>" />
+                        <input name="Submit" type="submit" class="button-primary" value="<?php esc_html_e( 'Save Changes', 'team-rosters' ) ?>" />
+                    
+                        <input type="submit" class="button-secondary" id="reset_btn" name="<?php echo esc_html( $options_name ) ?>" onclick="tr_confirm_reset_defaults()" value="<?php esc_html_e( 'Reset Defaults', 'team-rosters' ) ?>" />
                     </td>
                 </tr>
@@ -164 +164 @@
             $class = ( $tab == $current_tab ) ? ' nav-tab-active' : '';
             //echo "<a class='nav-tab$class' href='edit.php?post_type=mstw_tr_player&page=mstw-tr-settings&tab=$tab'>$name</a>";
-            echo "<a class='nav-tab$class' href='admin.php?page=mstw-tr-settings&tab=$tab'>$name</a>";
+            echo wp_kses_post( "<a class='nav-tab$class' href='admin.php?page=mstw-tr-settings&tab=$tab'>$name</a>" );
         }
         echo '</h2>';
@@ -222 +222 @@
                 '<p>' . __('Note that these settings apply to ALL roster and player displays (tables, profiles, galleries) on the site. To control individual displays by team, set the corresponding arguments in the shortcodes.', 'team-rosters' ) . "</p>\n" .
                 '<p><a href="http://shoalsummitsolutions.com/tr-data-fields-columns/" target="_blank">' . __( 'See the Team Rosters Users Manual for more documentation.', 'team-rosters' ) . "</a></p>\n";
-        echo $help;
+        echo wp_kses_post( $help );
     } //End:mstw_tr_data_fields_columns_help( )
 
@@ -231 +231 @@
                 '<p><a href="http://shoalsummitsolutions.com/tr-roster-tables/" target="_blank">' . __( 'See the Team Rosters Users Manual for more documentation.', 'team-rosters' ) . "</a></p>\n";
                 
-        echo $help;
+        echo wp_kses_post( $help );
     } //End: mstw_tr_roster_tables_help( )
         
@@ -247 +247 @@
                 "</a></p>\n";
                 
-        echo $help;
+        echo wp_kses_post( $help );
     } //End: mstw_tr_roster_table_colors_help( )
 
@@ -256 +256 @@
                 '<p>' . __('Note that these settings apply to ALL player profiles and galleries on the site. There are a number of other ways to customize the displays for individual teams, including shortcode arguments and custom stylesheets (CSS). See the Users Manual (link below) for more information.', 'team-rosters' ) . "</p>\n" .
                 '<p><a href="http://shoalsummitsolutions.com/tr-player-profiles-galleries/" target="_blank">' . __( 'See the Team Rosters Users Manual for more documentation.', 'team-rosters' ) . "</a></p>\n";
-        echo $help;
+        echo wp_kses_post( $help );
     } //End: mstw_tr_player_profiles_galleries_help( )
 

team-rosters/trunk/includes/mstw-tr-team-roster-admin-class.php

@@ -112 +112 @@
         if ( 'POST' == $_SERVER['REQUEST_METHOD'] ) {
             
-            $submit_value = array_key_exists( 'submit', $_POST ) ? stripslashes( $_POST[ 'submit' ] ) : null;
+            $submit_value = array_key_exists( 'submit', $_POST ) ? wp_unslash( $_POST[ 'submit' ] ) : null;
             
             $this->post( compact( 'submit_value' ) );
@@ -122 +122 @@
         <div class="wrap">
         
-        <h1><?php echo $screen_titles[$edit] ?></h1>
+        <h1><?php echo esc_html(  $screen_titles[$edit] ) ?></h1>
         
         <p class='mstw-lm-admin-instructions'>
-         <?php _e( 'Read the contextual help tab on the top right of this screen.', 'team-rosters' ) ?> 
+         <?php esc_html_e( 'Read the contextual help tab on the top right of this screen.', 'team-rosters' ) ?> 
         </p>
         
@@ -168 +168 @@
                 ?>
                     <h1 class='mstw-lm-admin-instructions'>
-                      <?php _e( 'Create a team before editting it\'s roster.', 'team-rosters' );
+                      <?php esc_html_e( 'Create a team before editting it\'s roster.', 'team-rosters' );
                       ?>
                     </h1>
@@ -180 +180 @@
                     
                     if ( $edit ) {
-                        // Don't want button on the Add Games Screen
+                        // Don't want button on the Add Players Screen
                         // Nothing to do if team is changed (ajax still fires)
                         ?>
-                        <a href="<?php  echo admin_url( 'admin.php?page=manage-team-rosters' )?>" class="button mstw-lm-control-button"><?php _e( 'Change Team', 'team-rosters' ) ?></a>
+                        <a href="<?php  echo esc_url( admin_url( 'admin.php?page=manage-team-rosters' ) )?>" class="button mstw-lm-control-button"><?php esc_html_e( 'Change Team', 'team-rosters' ) ?></a>
                         
                         <?php
-                        // Don't need pagination on the Add Games Screen
                         $this -> build_pagination_links( $paged, $players_list -> max_num_pages );
                         
@@ -193 +192 @@
                
                         <br/><p class="description">
-                          <?php _e( 'Caution! This button will update the table with the selected team roster WITHOUT SAVING any changes. Use the Update Roster button at the bottom of the screen to save any changes.', 'team-rosters' ) ?>
+                          <?php esc_html_e( 'Caution! This button will update the table with the selected team roster WITHOUT SAVING any changes. Use the Update Roster button at the bottom of the screen to save any changes.', 'team-rosters' ) ?>
                         <br/></p>
                     
@@ -201 +200 @@
                         ?>
                         <br/><p class="description">
-                          <?php _e( 'Enter players for the selected team. No data will be processed on or after the first row with blank first and last names.', 'team-rosters' ) ?>
+                          <?php esc_html_e( 'Enter players for the selected team. No data will be processed on or after the first row with blank first and last names.', 'team-rosters' ) ?>
                         <br/></p>
                         <?php
@@ -229 +228 @@
               
               <!-- Submit button -->
+                <?php wp_nonce_field( 'add-edit-players', 'mstw-tr-nonce' ); ?>
               <tbody>
               <tr> 
@@ -276 +276 @@
           <tr>
           <?php foreach ( $data_fields as $data_field ) { ?>
-           <th><?php echo $data_field[0] ?></th>
+           <th><?php echo esc_html( $data_field[0] ) ?></th>
            
           <?php } ?>
@@ -376 +376 @@
         if ( null === $player ) {
             ?>
-            <input type="hidden" name="<?php echo $this -> make_tag( "player_slug", $row_nbr ) ?>" value="<?php echo $this -> make_tag( '-1', $row_nbr ) ?>"/>
+            <input type="hidden" name="<?php echo esc_html( $this -> make_tag( "player_slug", $row_nbr ) ) ?>" value="<?php echo esc_html( $this -> make_tag( '-1', $row_nbr ) ) ?>"/>
             <?php
             foreach ( $blank_player as $slug => $value ) {
@@ -398 +398 @@
             ?>
             
-            <input type="hidden" name="<?php echo $this -> make_tag( "player_slug", $row_nbr ) ?>" value="<?php echo $this -> make_tag( $player -> post_name, $row_nbr ) ?>"/>
+            <input type="hidden" name="<?php echo esc_html( $this -> make_tag( "player_slug", $row_nbr ) ) ?>" value="<?php echo esc_html( $this -> make_tag( $player -> post_name, $row_nbr ) ) ?>"/>
             
             <?php
@@ -440 +440 @@
         ?>
         <td>
-          <input type='text' size='<?php echo $size ?>' maxlength = '<?php echo $maxlength ?>' id="<?php echo $tag?>" name="<?php echo $tag?>" value="<?php echo $value ?>" />
+          <input type='text' size='<?php echo esc_html( $size ) ?>' maxlength = '<?php echo esc_html( $maxlength ) ?>' id="<?php echo esc_html( $tag ) ?>" name="<?php echo esc_html( $tag) ?>" value="<?php echo esc_html( $value ) ?>" />
         </td>
         
@@ -468 +468 @@
         
         <td>
-          <select id="<?php echo $tag?>" name="<?php echo $tag?>">
+          <select id="<?php echo esc_html( $tag ) ?>" name="<?php echo esc_html( $tag ) ?>">
             <?php foreach ( $options as $key => $value ) { ?>
-                <option value = "<?php echo $key ?>" <?php selected( $current_value, $key, true )?> > <?php echo $value ?> </option>
+                <option value = "<?php echo esc_html( $key ) ?>" <?php selected( $current_value, $key, true )?> > <?php echo esc_html( $value ) ?> </option>
             <?php } ?>
           </select>
@@ -502 +502 @@
         ?>
         <span class="tr-paginate-links">
-          <?php echo paginate_links( $args ); ?>
+          <?php echo wp_kses_post( paginate_links( $args ) ); ?>
         </span>
         
@@ -566 +566 @@
         if ( $team_list ) {
             ?>
-            <select name='<?php echo $css_tag ?>' id='<?php echo $css_tag ?>' >
+            <select name='<?php echo esc_html( $css_tag ) ?>' id='<?php echo esc_html( $css_tag ) ?>' >
             <?php
             if ( !$edit ) { 
@@ -577 +577 @@
                 $selected = selected( $slug, $current_team, false );
                 ?>
-                <option value=<?php echo "$slug $selected" ?>><?php echo $name ?> </option>
+                <option value=<?php echo esc_html( "$slug $selected" ) ?>><?php echo esc_html( $name ) ?> </option>
             <?php       
             }
@@ -655 +655 @@
     function post( $options ) {
         //mstw_log_msg( 'MSTW_TR_TEAM_ROSTERS_ADMIN.post:' );
+        //
+        //first, do a few checks on form
+        //
+        
+        if ( isset( $_POST['mstw-tr-nonce'] ) ) {
+            //wp_verify_nonce( sanitize_key( wp_unslash( $_POST['mstw-tr-nonce'] ) );
+            $safeNonce = wp_esc_key( wp_unslash( $_POST['mstw-tr-nonce'] ) );
+            
+            if ( !wp_verify_nonce( $safeNonce, 'add-edit-players' ) ) {
+                mstw_tr_add_admin_notice( 'error', __( 'Problem encountered updating roster. Exiting.', 'team-rosters' ) );
+                mstw_log_msg( 'MSTW_TR_TEAM_ROSTERS_ADMIN.post: Problem encountered updating roster; bad nonce. Exiting.' );
+                return;
+            }
+            
+        } else {
+            mstw_tr_add_admin_notice( 'error', __( 'Problem encountered updating roster. Exiting.', 'team-rosters' ) );
+            mstw_log_msg( 'MSTW_TR_TEAM_ROSTERS_ADMIN.post: Problem encountered updating roster; nonce missing. Exiting.' );
+            return;
+            
+        }
         
         if ( !$options ) {
-            mstw_tr_add_admin_notice( 'error', __( 'Problem encountered updating games. Exiting.', 'team-rosters' ) );
-            mstw_log_msg( 'MSTW_TR_TEAM_ROSTERS_ADMIN.post: Problem encountered updating games. Exiting.' );
+            mstw_tr_add_admin_notice( 'error', __( 'Problem encountered updating roster; $options array missing. Exiting.', 'team-rosters' ) );
+            mstw_log_msg( 'MSTW_TR_TEAM_ROSTERS_ADMIN.post: Problem encountered updating roster; nonce missing. Exiting.' );
             return;
         }
@@ -951 +971 @@
         //mstw_log_msg( "MSTW_TR_TEAM_ROSTERS_ADMIN.edit_rosters_help_content:" );
                 ?>
-                <p><?php _e( 'Use this screen to edit the players on a roster in bulk - up to 20 at time. First use the drop-down menu to select the team roster to be edited.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'While players can be edited on this screen much faster than the Manage Players screen, there are some restrictions. The Player Title, Player Slug, Player Team(s), Player Photo, and Player Profile fields cannot be edited on this screen. Use the Manage Players screen.', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Use this screen to edit the players on a roster in bulk - up to 20 at time. First use the drop-down menu to select the team roster to be edited.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'While players can be edited on this screen much faster than the Manage Players screen, there are some restrictions. The Player Title, Player Slug, Player Team(s), Player Photo, and Player Profile fields cannot be edited on this screen. Use the Manage Players screen.', 'team-rosters' ) ?></p>
                 
                 <p>See the <a href="http://shoalsummitsolutions.com/category/users-manuals/tr-plugin/" target="_blank">MSTW Team Rosters users manual</a> for more details.</p>
@@ -973 +993 @@
         //mstw_log_msg( "MSTW_TR_TEAM_ROSTERS_ADMIN.add_players_help_content:" );       
                 ?>
-                <p><?php _e( 'Use this screen to add players to rosters in bulk - up to 20 at time. First use the drop-down menu to select the team to which to add players.', 'team-rosters' ) ?></p>
-                
-                <p><?php _e( 'While players can be added on this screen much faster than the Manage Players screen, there are the following restrictions:', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Use this screen to add players to rosters in bulk - up to 20 at time. First use the drop-down menu to select the team to which to add players.', 'team-rosters' ) ?></p>
+                
+                <p><?php esc_html_e( 'While players can be added on this screen much faster than the Manage Players screen, there are the following restrictions:', 'team-rosters' ) ?></p>
                 
                 <ul>
-                  <li><?php _e( 'The Player Title will be set to "First_Name Last_Name.', 'team-rosters' ) ?> </li>
-                  <li><?php _e( 'The Player Slug will be set to "first_name-last_name.', 'team-rosters' ) ?> </li>
-                  <li><?php _e( 'Each Player will be added to only the selected team. Use the Manage Players screen to add a player to muliple teams.', 'team-rosters' ) ?> </li>
-                  <li><?php _e( 'Use the Manage Players screen to add Player Photos and Player Profiles.', 'team-rosters' ) ?> </li>
+                  <li><?php esc_html_e( 'The Player Title will be set to "First_Name Last_Name.', 'team-rosters' ) ?> </li>
+                  <li><?php esc_html_e( 'The Player Slug will be set to "first_name-last_name.', 'team-rosters' ) ?> </li>
+                  <li><?php esc_html_e( 'Each Player will be added to only the selected team. Use the Manage Players screen to add a player to muliple teams.', 'team-rosters' ) ?> </li>
+                  <li><?php esc_html_e( 'Use the Manage Players screen to add Player Photos and Player Profiles.', 'team-rosters' ) ?> </li>
                 </ul>
                 
-                <p><a href="http://shoalsummitsolutions.com/category/users-manuals/tr-plugin/" target="_blank"><?php _e( 'See the MSTW Team Rosters users manual for more details.', 'team-rosters' ) ?></a></p>
+                <p><a href="http://shoalsummitsolutions.com/category/users-manuals/tr-plugin/" target="_blank"><?php esc_html_e( 'See the MSTW Team Rosters users manual for more details.', 'team-rosters' ) ?></a></p>
                 
                 <?php               

team-rosters/trunk/includes/mstw-tr-team-tax-admin-class.php

@@ -94 +94 @@
               <div class="form-field">
                     <p class="plugin-not-installed">
-                    <?php esc_html( printf( '%s', $value['warning'] ) ); ?>
+                    <?php //printf( '%s', $value['warning'] ); 
+                    echo esc_html( $value['warning'] ) ?>
                     </p>
               </div>
@@ -107 +108 @@
                 
                 <div class="form-field">
-                  <label for=<?php echo $id ?>><?php echo $value['title'] ?></label>
+                  <label for=<?php echo esc_html( $id ) ?>><?php echo esc_html( $value['title'] ) ?></label>
                   
-                  <select id='<?php echo $key ?>' name='<?php echo $key ?>' class='mstw-tr-tax-select-team' >
+                  <select id='<?php echo esc_html( $key ) ?>' name='<?php echo esc_html( $key ) ?>' class='mstw-tr-tax-select-team' >
                     <?php
                     $options = $this -> build_teams_list( $value['post_type'] );
@@ -116 +117 @@
                         $selected = selected( -1, $v, false );
                         ?>
-                        <option value='<?php echo $v ?>' <?php echo $selected?>><?php echo $k ?></option>
+                        <option value='<?php echo esc_html( $v ) ?>' <?php echo esc_html( $selected ) ?>><?php echo esc_html( $k ) ?></option>
                     <?php } ?>
                   </select>
@@ -175 +176 @@
             ?>
               <td>
-                <p class="plugin-not-installed"><?php echo $value['warning'] ?></p>
+                <p class="plugin-not-installed"><?php echo esc_html( $value['warning'] )?></p>
               </td>
               
@@ -183 +184 @@
                 ?>
                 <td>
-                  <select id='<?php echo $key ?>' name='<?php echo $key ?>' class='mstw-tr-tax-select-team' >
+                  <select id='<?php echo esc_html( $key ) ?>' name='<?php echo esc_html( $key ) ?>' class='mstw-tr-tax-select-team' >
                     <?php
                     $options = $this -> build_teams_list( $value['post_type'] );
@@ -194 +195 @@
                         }
                         ?>
-                        <option value='<?php echo $v ?>' <?php echo $selected ?>><?php echo $k ?></option>
+                        <option value='<?php echo esc_html( $v )?>' <?php echo esc_html( $selected ) ?>><?php echo esc_html( $k ) ?></option>
                     <?php } ?>
                   </select>
                   
-                  <?php echo $value['title'] ?>
+                  <?php echo esc_html( $value['title'] )?>
                 
                 </td> <!-- .form-field -->
@@ -427 +428 @@
             case 'manage-teams-help':
                 ?>
-                <p><?php _e( 'This screen provides management (add, edit, delete) of teams.', 'team-rosters' ) ?></p>
-                <p><?php _e( 'Each team may be linked to a team in the MSTW Schedules & Scoreboards or the MSTW League Manager database. These links will allow team logos to be pulled from the database, and team colors for links  the Schedules & Scoreboard', 'team-rosters' ) ?></p>
-                <p><?php _e( 'Teams may be added on this page. They may also be added in bulk via the CSV Import screen.', 'team-rosters' ) ?></p>
-                <p><?php _e( 'Roll over a team name, and select "Edit" to modify the data for an existing team." ', 'team-rosters' ) ?></p>
-                <p><?php _e( 'Roll over a team name, and select "Delete" to remove a team. Any players assigned to the team will be removed from the team, but will remain in the players database." ', 'team-rosters' ) ?></p>
-                
-                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-teams/" target="_blank"><?php _e( 'See the Data Entry - Teams man page for more details.', 'team-rosters' ) ?></a></p>
+                <p><?php esc_html_e( 'This screen provides management (add, edit, delete) of teams.', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Each team may be linked to a team in the MSTW Schedules & Scoreboards or the MSTW League Manager database. These links will allow team logos to be pulled from the database, and team colors for links  the Schedules & Scoreboard', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Teams may be added on this page. They may also be added in bulk via the CSV Import screen.', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Roll over a team name, and select "Edit" to modify the data for an existing team." ', 'team-rosters' ) ?></p>
+                <p><?php esc_html_e( 'Roll over a team name, and select "Delete" to remove a team. Any players assigned to the team will be removed from the team, but will remain in the players database." ', 'team-rosters' ) ?></p>
+                
+                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-teams/" target="_blank"><?php esc_html_e( 'See the Data Entry - Teams man page for more details.', 'team-rosters' ) ?></a></p>
                 
                 <?php               
@@ -440 +441 @@
             case 'edit-team-help':
                 ?>
-                <p><?php _e( 'Use this screen to modify the information for an existing team.', 'team-rosters' ) ?></p>
-                
-                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-teams/" target="_blank"><?php _e( 'See the Data Entry - Teams man page for more details.', 'team-rosters' ) ?></a></p>
+                <p><?php esc_html_e( 'Use this screen to modify the information for an existing team.', 'team-rosters' ) ?></p>
+                
+                <p><a href="http://shoalsummitsolutions.com/tr-data-entry-teams/" target="_blank"><?php esc_html_e( 'See the Data Entry - Teams man page for more details.', 'team-rosters' ) ?></a></p>
                 
                 

team-rosters/trunk/includes/mstw-tr-utility-functions.php

@@ -736 +736 @@
             $output = sprintf( 
                 /* translators: %s: team slug (permalink)*/
-                __( "No players found on team: '%s'", 'team-rosters' ), $team_slug );
+                esc_html__( "No players found on team: '%s'", 'team-rosters' ), $team_slug );
         }
 
@@ -1155 +1155 @@
  //         null if logo can't be found/built
  //         logo html with alt, and with link to team site, if available
+ //         1. Use the team logo from the S&S or LM DB, if available,
+ //         2. Else use the team logo in the theme's /team-rosters/images/ dir
+ //         3. Else use the default-logo-team-slug.png from the plugin images dir
+ //         4. Else use the default-logo.png (mystery player) from the plugin images dir
+
  // 
  if ( !function_exists( 'mstw_tr_build_team_logo' ) ) {
     function mstw_tr_build_team_logo( $team_slug = null, $type='player' ) {
-        //1. Use the team logo from the S&S or LM DB, if available,
-        //2. Else use the team logo in the theme's /team-rosters/images/ dir
-        //3. Else use the default-logo-team-slug.png from the plugin images dir
-        //4. Else use the default-logo.png (mystery player) from the plugin images dir
-
-        //mstw_tr_log_msg( 'mstw_tr_build_team_logo:' );
+        //mstw_log_msg( 'mstw_tr_build_team_logo:' );
 
         if( null === $team_slug ) {
@@ -1631 +1631 @@
                 ?>
                 <tr class='mstw-divider-spacer'><td>&nbsp;&nbsp;</td></tr>
-                <tr class='mstw-divider'><th colspan=2 ><?php echo $divider_msg ?></th></tr>
+                <tr class='mstw-divider'><th colspan=2 ><?php echo esc_html( $divider_msg ) ?></th></tr>
                 <?php
             }
@@ -1647 +1647 @@
                 <tr>
                 <?php //if ( "" != $label ) { ?>
-                    <th><label for '<?php echo $field_data['id']?>' >
-                        <?php echo $label ?>
+                    <th><label for '<?php echo esc_html( $field_data['id'] )?>' >
+                        <?php echo esc_html( $label ) ?>
                     </label></th>
             <?php //} ?>
@@ -1718 +1718 @@
         $name = ( !empty( $name ) ) ? $name : $id;
         
-        // pass the standard value if the option is not yet set in the database
-        //if ( !isset( $options[$id] ) && $options[ != 'checkbox' && ) {
-        //  $options[$id] = ( isset( $default ) ? $default : 'default_field' );
-        //}
-        
         // Additional field class. Output only if the class is defined in the $args()
         $class_str = ( !empty( $class ) ) ? "class='$class'" : '' ;
@@ -1735 +1730 @@
             case 'color':   // color field is just a text field with associated JavaScript
             ?>
-                <input type="text" id="<?php echo $id ?>" name="<?php echo $name ?>" value="<?php echo $curr_value ?>" <?php echo $attrib_str ?> />
+                <input type="text" id="<?php echo esc_html( $id ) ?>" name="<?php echo esc_html( $name ) ?>" value="<?php echo esc_html( $curr_value ) ?>" <?php echo esc_attr( $attrib_str ) ?> />
             <?php
-                echo ( !empty( $desc ) ) ? "<br /><span class='description'>$desc</span>\n" : "";
+                echo ( !empty( $desc ) ) ? "<br /><span class='description'>" . esc_html( $desc ) . "</span>\n" : "";
                 break;
                 
@@ -1747 +1742 @@
                 $options = $args['options'];
                     
-                echo "<select id='$id' name='$name' $attrib_str >";
+                echo "<select id='" . esc_html( $id ) . "' name='" . esc_html( $name ) . "'" . esc_attr( $attrib_str ) . "'>";
                     foreach( $options as $key=>$value ) {
                         $selected = ( $curr_value == $value ) ? 'selected="selected"' : '';
-                        echo "<option value='$value' $selected>$key</option>";
+                        echo "<option value='" . esc_html( $value ) . "'" . esc_html( $selected ) . ">" . esc_html( $key ) . "</option>";
                     }
                 echo "</select>";
-                echo ( !empty( $desc ) ) ? "<br /><span class='description'>$desc</span>" : "";
+                echo ( !empty( $desc ) ) ? "<br /><span class='description'>" . esc_html( $desc ) . "</span>" : "";
                 break;
             
             // CHECKBOX
             case 'checkbox':
-                echo "<input class='checkbox $class_str' type='checkbox' id='$id' name='$name' value=1 " . checked( $curr_value, 1, false ) . " />";
-                echo ($desc != '') ? "<br /><span class='description'>$desc</span>" : "";   
+                echo "<input class='checkbox " . esc_html( $class_str ) . "' type='checkbox' id='" . esc_html( $id ) . "' name='" . esc_html( $name ) . "' value=1 " . checked( esc_html( $curr_value ), 1, false ) . " />";
+                //echo "<input class='checkbox $class_str' type='checkbox' id='$id' name='$name' value=1 " . checked( $curr_value, 1, false ) . " />";
+                echo ($desc != '') ? "<br /><span class='description'>". esc_html( $desc ) . "</span>" : "";    
                 break;
                 
             // LABEL
             case 'label':
-                echo "<span class='description'>" . $curr_value . "</span>";
-                echo ( '' != $desc ) ? "<br /><span class='description'>$desc</span>" : "";
+                echo "<span class='description'>" . esc_html( $curr_value ) . "</span>";
+                echo ( '' != $desc ) ? "<br /><span class='description'>" . esc_html( $desc ) . "</span>" : "";
                 break;
                 
@@ -1772 +1768 @@
                 ?>
                 <td class="uploader">
-                    <input type="text" name="<?php echo $id  ?>" id="<?php echo $id ?>" class="mstw_logo_text" size="30" value="<?php echo $curr_value ?>"/>
-                    <?php echo ($desc != '') ? "<br /><span class='description'>$desc</span>" : ""; ?>
+                    <input type="text" name="<?php echo esc_html( $id ) ?>" id="<?php echo esc_html( $id ) ?>" class="mstw_logo_text" size="30" value="<?php echo esc_html( $curr_value ) ?>"/>
+                    <?php echo ($desc != '') ? "<br /><span class='description'>" . esc_html( $desc ) . "</span>" : ""; ?>
                 </td>
                 
                 <td class="uploader">
-                  <input type="button" class="button" name="<?php echo $id . '_btn'?>" id="<?php echo $id . '_btn'?>" value="<?php echo $btn_label ?>" />
+                  <input type="button" class="button" name="<?php echo esc_html( $id ) . '_btn'?>" id="<?php echo esc_html( $id ) . '_btn'?>" value="<?php echo esc_html( $btn_label ) ?>" />
                 <!-- </div> -->
                 </td>
                 <td>
-                <img id="<?php echo $id . '_img' ?>" width="<?php echo $img_width ?>" src="<?php echo $curr_value ?>" />
+                <img id="<?php echo esc_html( $id ) . '_img' ?>" width="<?php echo esc_html( $img_width  )?>" src="<?php echo esc_html( $curr_value ) ?>" />
                 </td>
         <?php
@@ -1790 +1786 @@
             // THE FOLLOWING CASES HAVE NOT BEEN TESTED/USED
             
+            /*
             case "multi-text":
                 foreach($options as $item) {
@@ -1843 +1840 @@
                     }
                     
-                    echo "<input class='checkbox$field_class' type='checkbox' id='$id|$item[1]' name='" . $wptuts_option_name . "[$id|$item[1]]' value='1' $checked /> $item[0] <br/>";
+                    //echo "<input class='checkbox'. esc_html( $field_class) . "' type='checkbox' id='" . esc_html( $id) . "|" esc_html( $item[1]) . "' name='" . esc_html( $wptuts_option_name ) . "[$id|$item[1]]' value='1' $checked /> $item[0] <br/>";
                 }
-                echo ($desc != '') ? "<br /><span class='description'>$desc</span>" : "";
+                echo ($desc != '') ? "<br /><span class='description'>" . esc_html( $desc ) . "</span>" : "";
             break;
+            */
             
             default:
                 mstw_tr_log_msg( "CONTROL TYPE $type NOT RECOGNIZED." );
-                echo "CONTROL TYPE $type NOT RECOGNIZED.";
+                echo "CONTROL TYPE ", esc_html( $type ), " NOT RECOGNIZED.";
             break;
             
@@ -2030 +2028 @@
 // NEW STUFF FOR NEW MSTW TEAM ROSTERS
 //
-
+/*
 //------------------------------------------------------------------------------------
 // a. mstw_tr_get_current_sport - gets the current sport from the options DB 
@@ -2048 +2046 @@
     } //End: mstw_tr_get_current_sport()
 }
-
+*/
+
+/*
 //------------------------------------------------------------------------------------
 // b. mstw_tr_set_current_sport - sets the current sport in the options DB 
@@ -2066 +2066 @@
     } //End: mstw_tr_set_current_sport()
 }
+*/
 
 // ------------------------------------------------------------------------------
@@ -2078 +2079 @@
 //      Outputs the HTML control and returns the number of sports found
 //      Otherwise, returns -1 if no sports are found
-//      
+//
+/*
 if ( !function_exists( 'mstw_tr_build_sport_select' ) ) {
     function mstw_tr_build_sport_select( $current_sport = '', $id = '', $showDefault = false ) {
@@ -2098 +2100 @@
         
             ?>
-            <select name=<?php echo $id ?> id=<?php echo $id ?> >
+            <select name=<?php echo esc_html( $id ) ?> id=<?php echo esc_html( $id ) ?> >
             <?php foreach ( $sports as $slug => $name ) { 
                 $selected = selected( $slug, $current_sport, false );
                 ?>
-                <option value=<?php echo "$slug $selected" ?>><?php echo $name ?> </option>
+                <option value=<?php echo esc_html( $slug ) . " " . esc_html( $selected) ?>><?php echo esc_html( $name ) ?> </option>
                 
                 <?php 
@@ -2116 +2118 @@
     } //End: mstw_tr_build_sport_select()
 }
-
+*/
+    
+/*
 // ------------------------------------------------------------------------------
 // d. mstw_tr_build_sports_list - Returns a default array of sports as 
@@ -2197 +2201 @@
     } //End: mstw_lm_build_sports_list( )
 }
+*/

team-rosters/trunk/includes/mstw-utility-functions.php

@@ -26 +26 @@
  * 1. mstw_log_msg - writes debug messages to /wp-content/debug.log
  *                   if the WP_DEBUG settings in wp-config are correct
- * 2. mstw_requires_wordpress_version - checks for the right WordPress version
+ * 2. mstw_requires_wordpress_version - checks for the right WordPress version 
  * 3. mstw_safe_ref - prevents uninitialized string errors 
  * 3.1  mstw_safe_get - Safely get value for a key from an array
@@ -54 +54 @@
 //------------------------------------------------------------------------------
 //  1. mstw_log_msg - logs messages to /wp-content/debug IF WP_DEBUG is true
+//              this function is used for DEBUGGING. It's not intended for production 
+//              unless there is a REAL ERROR.
 //      ARGUMENTS:
 //          $msg - string, array, or object to log
@@ -75 +77 @@
     } //End: mstw_log_msg( )
 }
+
 
 //------------------------------------------------------------------------------
@@ -84 +87 @@
 //  THIS FUNCTION ONLY WORKS IN ADMIN (because it calls get_plugin_data()
 //
-if ( !function_exists( 'mstw_requires_wordpress_version' ) ) {
-    function mstw_requires_wordpress_version( $version = '3.9.2' ) {
-        global $wp_version;
-        
-        $plugin = MSTW_SS_PLUGIN_NAME;
-        //$plugin_data = get_plugin_data( __FILE__, false );
-        $plugin_data = get_plugin_data( MSTW_SS_PLUGIN_DIR . '/mstw-schedules-scoreboards.php', 
-                                        false );
-
-        if ( version_compare( $wp_version, $version, "<" ) ) {
-            if( is_plugin_active( $plugin ) ) {
-                deactivate_plugins( $plugin );
-                $die_msg = $plugin_data['Name'] . " requires WordPress $version or higher, and has been deactivated! <br/> Please upgrade WordPress and try again.<br /><br /><a href='".admin_url()."'>Back to admin dashboard</a>.";
-                die( $die_msg );
-            }
-        }
-    } //end mstw_requires_wordpress_version()
-}
+/*
+ * Removed from team rosters version
+ */
 
 // ----------------------------------------------------------------
@@ -237 +225 @@
                     break;
                 case 'D' :
-                    $return .= $param_D[date('N', $timestamp)];
+                    $return .= $param_D[gmdate('N', $timestamp)];
                     break;
                 case 'l' :
-                    $return .= $param_l[date('N', $timestamp)];
+                    $return .= $param_l[gmdate('N', $timestamp)];
                     break;
                 case 'F' :
-                    $return .= $param_F[date('n', $timestamp)];
+                    $return .= $param_F[gmdate('n', $timestamp)];
                     break;
                 case 'M' :
-                    $return .= $param_M[date('n', $timestamp)];
+                    $return .= $param_M[gmdate('n', $timestamp)];
                     break;
                 default :
-                    $return .= date($format[$i], $timestamp);
+                    $return .= gmdate($format[$i], $timestamp);
                     break;
             }
@@ -274 +262 @@
 //  );
 //
-if( !function_exists( 'mstw_build_admin_edit_screen' ) ) {  
-    function mstw_build_admin_edit_screen( $fields ) {
-        
-        foreach( $fields as $field_id=>$field_data ) {
-            //HANDLE table dividers here ... NEW
-            if ( $field_data['type'] == 'divider' ) {
-                $divider_msg = ( isset( $field_data['curr_value'] ) ) ? $field_data['curr_value'] : '&nbsp;&nbsp;';
-                ?>
-                <tr class='mstw-divider-spacer'><td>&nbsp;&nbsp;</td></tr>
-                <tr class='mstw-divider'><th colspan=2 ><?php echo $divider_msg ?></th></tr>
-                <?php
-            }
-            else {
-                $field_data['id'] = ( !isset( $field_data['id'] ) || empty( $field_data['id'] ) ) ? $field_id : $field_data['id'];
-                $field_data['name'] = ( !isset( $field_data['name'] ) || empty( $field_data['name'] ) ) ? $field_id : $field_data['name'];
-                
-                // check the field label/title
-                if ( array_key_exists( 'label', $field_data ) && !empty( $field_data['label'] ) )
-                    $label = $field_data['label'];
-                else
-                    $label = '';
-                ?>
-                
-                <tr>
-                    <th><label for '<?php echo $field_data['id']?>' >
-                        <?php echo $label ?>
-                    </label></th>
-                    <?php 
-                    // media-uploader will add it's own cells (3 of theme)
-                    if ( $field_data['type'] != 'media-uploader' ) { 
-                        echo "<td>\n";
-                    }
-
-                        
-                        mstw_build_admin_edit_field( $field_data );
-
-                    if ( $field_data['type'] != 'media-uploader' ) { 
-                        echo "</td>\n";
-                    }
-                    ?>
-                    </tr>
-                <?php
-            }
-        }
-        
-    } //End: mstw_build_admin_edit_screen()
-}
+/*
+ * Removed from team rosters version
+ */
 
 //-------------------------------------------------------------------------------
@@ -339 +283 @@
 //      
 //
-if( !function_exists( 'mstw_build_admin_edit_field' ) ) {
-    function mstw_build_admin_edit_field( $args ) {
-    
-        $defaults = array(
-                'type'         => 'text',
-                'id'         => 'default_field', // the ID of the setting in our options array, and the ID of the HTML form element
-                'title'      => __( 'Default Field', 'team-rosters' ), // the label for the HTML form element
-                'label'      => __( 'Default Label', 'team-rosters' ), // the label for the HTML form element
-                'desc'         => '', // the description displayed under the HTML form element
-                'default'      => '',  // the default value for this setting
-                'type'       => 'text', // the HTML form element to use
-                'options'    => array(), // (optional): the values in radio buttons or a drop-down menu
-                'name'         => '', //name of HTML form element. should be options_array[option]
-                'class'      => '',  // the HTML form element class. Also used for validation purposes!
-                'curr_value' => '',  // the current value of the setting
-                'maxlength'  => '',  // maxlength attrib of some input controls
-                'size'         => '',  // size attrib of some input controls
-                'img_width'  => 60,
-                'btn_label'  => 'Upload from Media Library',
-                );
-        
-        // "extract" to be able to use the array keys as variables in our function output below
-        $args = wp_parse_args( $args, $defaults );
-    
-        extract( $args );
-        
-        // default name to id
-        $name = ( !empty( $name ) ) ? $name : $id;
-        
-        $name = esc_attr( $name );
-        
-        $id   = esc_attr( $id );
-        
-        // pass the standard value if the option is not yet set in the database
-        
-        // Additional field class. Output only if the class is defined in the $args()
-        $class_str = ( !empty( $class ) ) ? "class='$class'" : '';
-        $maxlength_str = ( !empty( $maxlength ) ) ? "maxlength='$maxlength'" : '' ;
-        $size_str = ( !empty( $size ) ) ? "size='$size'" : '' ;
-        $attrib_str = " $class_str $maxlength_str $size_str ";
-        
-        $desc = esc_html( $desc );
-        $desc_html = ( !empty( $desc ) ) ? "<br /><span class='description'>$desc</span>" : "";
-        
-
-        // switch html display based on the setting type.
-        switch ( $args['type'] ) {
-            //TEXT & COLOR CONTROLS
-            case 'text':    // this is the default type
-            case 'color':   // color field is just a text field with associated JavaScript
-            ?>
-                <input type="text" id="<?php echo $id ?>" name="<?php echo $name ?>" value="<?php echo $curr_value ?>" <?php echo $attrib_str ?> />
-            <?php
-                echo $desc_html;
-                break;
-                
-            //SELECT OPTION CONTROL
-            case 'select-option':
-                //not sure why this is needed given the extract() above
-                //but without it you get an extra option with the 
-                //'option-name' displayed (huh??)
-                $options = $args['options'];
-                    
-                echo "<select id='$id' name='$name' $attrib_str >";
-                    foreach( $options as $key=>$value ) {
-                        $selected = ( $curr_value == $value ) ? 'selected="selected"' : '';
-                        $value = esc_attr( $value );
-                        $key   = esc_html( $key );
-                        echo "<option value='$value' $selected>$key</option>";
-                    }
-                echo "</select>";
-                echo $desc_html;
-                break;
-            
-            // CHECKBOX
-            case 'checkbox':
-                echo "<input class='checkbox $class_str' type='checkbox' id='$id' name='$name' value=1 " . checked( $curr_value, 1, false ) . " />";
-                echo $desc_html;
-                break;
-                
-            // LABEL
-            case 'label':
-                echo "<span class='description'>" . esc_html( $curr_value ) . "</span>";
-                echo $desc_html;
-                break;
-                
-            // MEDIA UPLOADER
-            case 'media-uploader':
-                ?>
-                <td class="uploader">
-                    <input type="text" name="<?php echo $id  ?>" id="<?php echo $id ?>" class="mstw_logo_text" size="32" value="<?php echo esc_attr( $curr_value )?>"/>
-                    <?php echo $desc_html; ?>
-                </td>
-                
-                <td class="uploader">
-                  <input type="button" class="button" name="<?php echo $id . '_btn'?>" id="<?php echo $id . '_btn'?>" value="<?php echo esc_attr( $btn_label ) ?>" />
-                <!-- </div> -->
-                </td>
-                <td>
-                <img id="<?php echo $id . '_img' ?>" width="<?php echo esc_attr( $img_width )?>" src="<?php echo esc_attr( $curr_value ) ?>" />
-                </td>
-        <?php
-                break;
-                
-            default:
-                echo "CONTROL TYPE $type NOT RECOGNIZED.";
-                break;
-            
-        }   //End: switch ( $args['type'] ) {
-            
-    } //End: mstw_build_admin_edit_field()
-}
+/*
+ * Removed from team rosters version
+ */
+
 
 //-------------------------------------------------------------------------------
@@ -459 +295 @@
 //          None. HTML is ouput/echoed to the screen by mstw_build_settings_field()
 //
-if( !function_exists( 'mstw_build_settings_screen' ) ) {    
-    function mstw_build_settings_screen( $arguments ) {
-        foreach ( $arguments as $args ) {
-            mstw_build_settings_field( $args );
-        }
-    }  //End: mstw_build_settings_screen()
-}
+/*
+ * Removed from team rosters version
+ */
 
 //-------------------------------------------------------------------------------
@@ -476 +308 @@
 //          None. HTML is output/echoed to screen
 //      
-if( !function_exists( 'mstw_build_settings_field' ) ) { 
-    function mstw_build_settings_field( $args ) {
-        // default array to overwrite when calling the function
-        
-        $defaults = array(
-            'id'      => 'default_field', // the ID of the setting in our options array, and the ID of the HTML form element
-            'title'   => 'Default Field',  // the label for the HTML form element
-            'desc'    => '', // the description displayed under the HTML form element
-            'default'     => '',  // the default value for this setting
-            'type'    => 'text', // the HTML form element to use
-            'section' => '', // settings section to which this setting belongs
-            'page' => '', //page on which the section belongs
-            'options' => array(), // (optional): the values in radio buttons or a drop-down menu
-            'name' => '', //name of HTML form element. should be options_array[option]
-            'class'   => '',  // the HTML form element class. Also used for validation purposes!
-            'value' => ''  // the current value of the setting
-        );
-        
-        //  ARGUMENTS: $field_args = array(
-        //      'type'       => $type,  *
-        //      'id'         => $id,    *
-        //      'desc'       => $desc,  *
-        //      'curr_value' => $value, *
-        //      'options'    => $options,   *
-        //      'label_for'  => $id,    * (use id)
-        //      'class'      => $class, *
-        //      'name'       => $name,
-        //  );
-        
-        // "extract" to be able to use the array keys as variables in our function output below
-        extract( wp_parse_args( $args, $defaults ) );
-        
-        //Handle some MSTW custom field types; convert for generic select-option
-        switch ( $type ) {
-            case 'show-hide':
-                $type = 'select-option';
-                $options = array(   __( 'Show', 'team-rosters' ) => 1, 
-                                    __( 'Hide', 'team-rosters' ) => 0, 
-                                  );
-                break;
-            case 'date-time':
-                $type = 'select-option';
-                
-                $options = array (  __( 'Custom', 'team-rosters' ) => 'custom',
-                                    __( 'Tuesday, 07 April 01:15 pm', 'team-rosters' ) => 'l, d M h:i a',
-                                    __( 'Tuesday, 7 April 01:15 pm', 'team-rosters' ) => 'l, j M h:i a',
-                                    __( 'Tuesday, 07 April 1:15 pm', 'team-rosters' ) => 'l, d M g:i a',
-                                    __( 'Tuesday, 7 April 1:15 pm', 'team-rosters' ) => 'l, j M g:i a',
-                                    __( 'Tuesday, 7 April 13:15', 'team-rosters' ) => 'l, d M H:i',
-                                    __( 'Tuesday, 7 April 13:15', 'team-rosters' ) => 'l, j M H:i',
-                                    __( '07 April 13:15', 'team-rosters' ) => 'd M H:i',
-                                    __( '7 April 13:15', 'team-rosters' ) => 'j M H:i',
-                                    __( '07 April 01:15 pm', 'team-rosters' ) => 'd M g:i a',
-                                    __( '7 April 01:15 pm', 'team-rosters' ) => 'j M g:i a',        
-                                    );
-                
-                if ( isset( $custom_format ) && $custom_format == 0 ) {
-                    //remove the custom option
-                    unset( $options[ __( 'Custom', 'team-rosters' ) ] );
-                }
-                
-                if ( $desc == '' ) {
-                    $desc = __( 'Formats for 7 April 2013 13:15.', 'team-rosters' );
-                }
-                
-                break;
-            case 'date-only':
-                $type = 'select-option';
-                $options = array (  __( 'Custom', 'team-rosters' ) => 'custom',
-                                    '2013-04-07' => 'Y-m-d',
-                                    '13-04-07' => 'y-m-d',
-                                    '04/07/13' => 'm/d/y',
-                                    '4/7/13' => 'n/j/y',
-                                    __( '07 Apr 2013', 'team-rosters' ) => 'd M Y',
-                                    __( '7 Apr 2013', 'team-rosters' ) => 'j M Y',
-                                    __( 'Tues, 07 Apr 2013', 'team-rosters' ) => 'D, d M Y',
-                                    __( 'Tues, 7 Apr 13', 'team-rosters' ) => 'D, j M y',
-                                    __( 'Tuesday, 7 Apr', 'team-rosters' ) => 'l, j M',
-                                    __( 'Tuesday, 07 April 2013', 'team-rosters' ) => 'l, d F Y',
-                                    __( 'Tuesday, 7 April 2013', 'team-rosters' ) => 'l, j F Y',
-                                    __( 'Tues, 07 Apr', 'team-rosters' ) => 'D, d M',
-                                    __( 'Tues, 7 Apr', 'team-rosters' ) => 'D, j M',
-                                    __( '07 Apr', 'team-rosters' ) => 'd M',
-                                    __( '7 Apr', 'team-rosters' ) => 'j M',
-                                    );
-                                    
-                if ( isset( $custom_format ) && $custom_format == 0 ) {
-                    //remove the custom option
-                    unset( $options[ __( 'Custom', 'team-rosters' ) ] );
-                }
-                if ( $desc == '' ) {
-                    $desc = __( 'Formats for 7 Apr 2013. Default: 2013-04-07', 'team-rosters' );
-                }
-                break;
-            case 'time-only':
-                $type = 'select-option';
-                $options = array (  __( 'Custom', 'team-rosters' )  => 'custom',
-                                    __( '08:00 (24hr)', 'team-rosters' ) => 'H:i',
-                                    __( '8:00 (24hr)', 'team-rosters' )     => 'G:i',
-                                    __( '08:00 am', 'team-rosters' )    => 'h:i a',
-                                    __( '08:00 AM', 'team-rosters' )    => 'h:i A',
-                                    __( '8:00 am', 'team-rosters' )         => 'g:i a',
-                                    __( '8:00 AM', 'team-rosters' )         => 'g:i A',
-                                    );
-                                    
-                if ( isset( $custom_format ) && $custom_format == 0 ) {
-                    //remove the custom option
-                    unset( $options[ __( 'Custom', 'team-rosters' ) ] );
-                }
-                if ( $desc == '' ) {
-                    $desc = __( 'Formats for eight in the morning. Default: 08:00', 'team-rosters' );
-                }
-                break;
-            default:
-                break;
-                                
-        }
-        
-        //
-        // map arguments used by mstw_display_form_field() to create HTML output 
-        //
-        $field_args = array(
-            'type'       => $type,
-            'id'         => $id,
-            'desc'       => $desc,
-            'curr_value' => $value,
-            'options'    => $options,
-            'label_for'  => $id,
-            'class'      => $class,
-            'name'       => $name,
-        );
-        
-        add_settings_field( $id, 
-            $title, 
-            'mstw_build_admin_edit_field', 
-            $page, 
-            $section, 
-            $field_args 
-            );
-        
-    } //End: mstw_build_settings_field()
-}
+/*
+ * Removed from team rosters version
+ */
 
 //-------------------------------------------------------------------------------
@@ -623 +316 @@
 //      Returns input string if valid hex color (or ''); returns null otherwise     
 //
-if( !function_exists( 'mstw_sanitize_hex_color' ) ) {
-    function mstw_sanitize_hex_color( $color ) {
-        // the empty string is ok
-        if ( '' === $color )
-            return '';
-
-        // 3 or 6 hex digits, or the empty string.
-        if ( preg_match('|^#([A-Fa-f0-9]{3}){1,2}$|', $color ) )
-            return $color;
-        
-        // return null if input $color is not valid
-        return null;
-        
-    } //End: mstw_sanitize_hex_color()
-}
+/*
+ * Removed from team rosters version
+ */
 
 //-------------------------------------------------------------------------------
@@ -708 +389 @@
         elseif( $current_screen and $current_screen->post_type )
             return $current_screen->post_type;
-     
+      /**
+            * IDK how to fix the warning from the plugin checker:
+            *   Processing form data without nonce verification.
+            * This utility function is just trying to find a post type??
+            */
         elseif( isset( $_REQUEST['post_type'] ) )
             return sanitize_key( $_REQUEST['post_type'] );
@@ -812 +497 @@
                 $msg_type = ( $msg_type == 'warning' ) ? $msg_type . ' updated' : $msg_type ;
             ?>
-                <div class="<?php echo $msg_type; ?>">
-                    <p><?php echo $msg_notice; ?></p>
+                <div class="<?php echo esc_html( $msg_type ); ?>">
+                    <p><?php echo esc_html( $msg_notice ); ?></p>
                 </div>
             

team-rosters/trunk/mstw-team-rosters.php

@@ -1 +1 @@
 <?php
 /*
- * Plugin Name:  MSTW Team Rosters
+ * Plugin Name:  Team Rosters
  * Plugin URI:   http://shoalsummitsolutions.com
  * Description:  Manage & display team rosters. Front end displays include roster tables, player galleries, and single player profiles.
@@ -617 +617 @@
     if ( file_exists( $plugin_stylesheet ) ) {  
         $plugin_style_url = plugins_url( '/css/mstw-tr-styles.css', __FILE__ );
-        wp_enqueue_style( 'mstw_tr_style', $plugin_style_url );
+        wp_enqueue_style( 'mstw_tr_style', 
+                                            $plugin_style_url,
+                                            array( ),
+                                            '4.9',
+                                            'all'
+                                             );
     }
 
@@ -628 +633 @@
         wp_register_style( 'mstw_tr_custom_style', $custom_stylesheet_url );
         wp_enqueue_style( 'mstw_tr_custom_style' );
+        wp_enqueue_style( 'mstw_tr_custom_style', 
+                                            $custom_stylesheet_url,
+                                            array( ),
+                                            '4.9',
+                                            'all'
+                                             );
     }
     
@@ -641 +652 @@
                             plugins_url( 'team-rosters/js/tr-load-team-colors.js' ), 
                             array( 'jquery' ), 
-                            false, 
-                            true 
+                            '4.9', 
+                            array( ) 
                          );
     
@@ -649 +660 @@
                             plugins_url( 'team-rosters/js/tr-sort-roster-table.js' ), 
                             array( 'jquery' ), 
-                            false, 
-                            true 
+                            '4.9', 
+                            array( ) 
                          );
                          
@@ -657 +668 @@
                             plugins_url( 'team-rosters/js/tr-select-player.js' ), 
                             array( 'jquery' ), 
-                            false, 
-                            true 
+                            '4.9', 
+                            array( ) 
                          );
                          
@@ -665 +676 @@
                             plugins_url( 'team-rosters/js/tr-team-roster-2-ajax.js' ), 
                             array( 'jquery' ), 
-                            false, 
-                            true 
+                            '4.9', 
+                            array( ) 
                          );
         

team-rosters/trunk/readme.txt

@@ -44 +44 @@
 
 = 4.8 =
-* Corrected a security issue identified by the Wordpress team
+* Corrected a security issues identified by the Wordpress team
 * Added a .pot file in the /lang directory so the plugin is now translatable.
 * Tested on PHP 8.2.23 and WP 6.7.2. 

team-rosters/trunk/theme-templates/single-player.php

@@ -93 +93 @@
                 // Set up the hidden fields for jScript CSS 
                 $hidden_fields = mstw_tr_build_team_colors_html( $team_slug, $options, 'profile' );
-                echo $hidden_fields;
+                echo wp_kses_post( $hidden_fields );
                 ?>
     
@@ -102 +102 @@
                         // Build the single player page title
                         if ( $options['sp_show_title'] ) {  
-                            echo "<h1 class='player-head-title player-head-title_$team_slug'>$team_name</h1>";
+                            echo "<h1 class='player-head-title player-head-title_" . esc_html( $team_slug ) . "'>" . esc_html( $team_name) . "</h1>";
                         }
                         ?>
@@ -114 +114 @@
                             ?>
                             
-                            <form id="single-player-profile" method="POST" action= "<?php echo $formAction; ?>">
-                                <input type='hidden' name='current-player' id='current-player' value= <?php echo $post->post_name ?> />
+                            <form id="single-player-profile" method="POST" action= "<?php echo esc_url( $formAction ); ?>">
+                                <input type='hidden' name='current-player' id='current-player' value= <?php echo esc_html( $post->post_name ) ?> />
                                 <div class="player-select-list ms-control">
                                     <?php 
                                     if ( null != $team_slug ) {
                                         $selectionHTML = mstw_tr_build_player_selection( $team_slug, $options, $post -> post_name );
-                                        echo $selectionHTML;
+                                        $allowed_html = array( 'option' => array( 'value' => true, 'selected' => true ), 'select' => array( 'name' => true, 'id' => true ) );
+                                        echo wp_kses( $selectionHTML, $allowed_html );
                                     }
                                     ?>
                                 </div>
                                 <div class="player-select-button ms-control">
-                                    <input type="submit" class="secondary tr-ps-submit" id="tr-ps-submit" name="<?php echo $team_slug?>" value='<?php _e( 'Update Player', 'team-rosters' ) ?>'/>
+                                    <input type="submit" class="secondary tr-ps-submit" id="tr-ps-submit" name="<?php echo esc_html( $team_slug )?>" value='<?php esc_html_e( 'Update Player', 'team-rosters' ) ?>'/>
                                 </div>
                             </form>     
@@ -132 +133 @@
                     </div> <!-- <div class='tr-header-controls'> -->
                 
-                    <div class="player-header player-header_<?php echo( $team_slug ) ?> MSTW-flex-row">
+                    <div class="player-header player-header_<?php echo esc_html( $team_slug ) ?> MSTW-flex-row">
                         <div id = "player-photo">
                             <?php 
-                            echo mstw_tr_build_player_photo( $post, $team_slug, $options, 'profile' );
+                            echo wp_kses_post( mstw_tr_build_player_photo( $post, $team_slug, $options, 'profile' ) );
                             ?>
                         </div> <!-- #player-photo -->
@@ -143 +144 @@
                             <?php if ( $options['show_number'] ) { ?>
                                 <div id="number"> 
-                                    <?php echo get_post_meta($post->ID, 'player_number', true ); ?> 
+                                    <?php echo wp_kses_post( get_post_meta( $post->ID, 'player_number', true ) ); ?> 
                                 </div><!-- #number -->
                             <?php } ?>
@@ -152 +153 @@
                                 //Convert 'last, first' to 'first last'
                                 $options['name_format'] = ( $options['name_format'] == 'last-first' ) ? 'first-last' : $options['name_format'] ;
-                                echo mstw_tr_build_player_name( $post, $options, 'profile' );
+                                echo wp_kses_post( mstw_tr_build_player_name( $post, $options, 'profile' ) );
                                 ?>
                             </div><!-- #player-name -->
@@ -167 +168 @@
                                 // the first two rows are (now almost) the same in all formats
                                 if ( $options['show_position'] ) {
-                                    echo $row_start . $options['position_label'] . $new_cell .  get_post_meta($post->ID, 'player_position', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['position_label'] . $new_cell .  get_post_meta($post->ID, 'player_position', true ) . $row_end );
                                 }
                                 
@@ -175 +176 @@
                                     $throws = get_post_meta($post->ID, 'player_throws', true );
                                     $throws = ( $throws == 0 ) ? '' : $throws ;
-                                    echo $row_start . $options['bats_throws_label'] . $new_cell 
-                                                    .  mstw_tr_build_bats_throws( $post ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['bats_throws_label'] . $new_cell 
+                                                    .  mstw_tr_build_bats_throws( $post ) . $row_end );
                                 }
                                 
@@ -182 +183 @@
                                 // Otherwise show just one or the other
                                 if ( $options['show_height'] and $options['show_weight'] ) {
-                                    echo $row_start . $options['height_label'] . '/' . $options['weight_label'] . $new_cell .  get_post_meta($post->ID, 'player_height', true ) . '/' . get_post_meta($post->ID, 'player_weight', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['height_label'] . '/' . $options['weight_label'] . $new_cell .  get_post_meta($post->ID, 'player_height', true ) . '/' . get_post_meta($post->ID, 'player_weight', true ) . $row_end );
                                 } 
                                 else  if ( $options['show_weight'] ) {
-                                        echo $row_start . $options['weight_label'] . $new_cell .  get_post_meta($post->ID, 'player_weight', true ) . $row_end;
+                                        echo wp_kses_post( $row_start . $options['weight_label'] . $new_cell .  get_post_meta($post->ID, 'player_weight', true ) . $row_end );
                                 } 
                                 else if ( $options['show_height'] ) {
-                                        echo $row_start . $options['height_label'] . $new_cell .  get_post_meta($post->ID, 'player_height', true ) . $row_end;
+                                        echo wp_kses_post( $row_start . $options['height_label'] . $new_cell .  get_post_meta($post->ID, 'player_height', true ) . $row_end );
                                 }       
                                 
                                 //Year
                                 if ( $options['show_year'] ) {
-                                    echo $row_start . $options['year_label'] . $new_cell . get_post_meta( $post->ID, 'player_year', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['year_label'] . $new_cell . get_post_meta( $post->ID, 'player_year', true ) . $row_end );
                                 }
                                 //Age
                                 if ( $options['show_age'] ) {
-                                    echo $row_start . $options['age_label'] . $new_cell . get_post_meta( $post->ID, 'player_age', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['age_label'] . $new_cell . get_post_meta( $post->ID, 'player_age', true ) . $row_end );
                                 }
                                 //Experience
                                 if ( $options['show_experience'] ) {
-                                    echo $row_start . $options['experience_label'] . $new_cell . get_post_meta( $post->ID, 'player_experience', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['experience_label'] . $new_cell . get_post_meta( $post->ID, 'player_experience', true ) . $row_end );
                                 }
                                 //Hometown
                                 if ( $options['show_home_town'] ) {
-                                    echo $row_start . $options['home_town_label'] . $new_cell . get_post_meta( $post->ID, 'player_home_town', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['home_town_label'] . $new_cell . get_post_meta( $post->ID, 'player_home_town', true ) . $row_end );
                                 }
                                 //Last School
                                 if ( $options['show_last_school'] ) {
-                                    echo $row_start . $options['last_school_label'] . $new_cell . get_post_meta( $post->ID, 'player_last_school', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['last_school_label'] . $new_cell . get_post_meta( $post->ID, 'player_last_school', true ) . $row_end );
                                 }
                                 //Country
                                 if ( $options['show_country'] ) {
-                                    echo $row_start . $options['country_label'] . $new_cell . get_post_meta( $post->ID, 'player_country', true ) . $row_end;
+                                    echo wp_kses_post($row_start . $options['country_label'] . $new_cell . get_post_meta( $post->ID, 'player_country', true ) . $row_end );
                                 }
                                 
                                 //Other
                                 if ( $options['show_other_info'] ) {
-                                    echo $row_start . $options['other_info_label'] . $new_cell . get_post_meta( $post->ID, 'player_other', true ) . $row_end;
+                                    echo wp_kses_post( $row_start . $options['other_info_label'] . $new_cell . get_post_meta( $post->ID, 'player_other', true ) . $row_end );
                                 }
                                 ?>
@@ -227 +228 @@
                         <div id='team-logo'>
                             <?php
-                            echo mstw_tr_build_profile_logo( $team_slug );
+                            echo wp_kses_post( mstw_tr_build_profile_logo( $team_slug ) );
                             ?>
                         </div> <!-- #team-logo -->
@@ -236 +237 @@
                     
                     if ( !empty( $bio ) ) {  ?>
-                        <div class="player-bio player-bio_<?php echo $team_slug; ?> ">  
+                        <div class="player-bio player-bio_<?php echo esc_html( $team_slug ); ?> ">  
                             <?php $sp_content_title = ( $options['sp_content_title'] == '' ) ? 
                                     __( 'Player Bio', 'team-rosters' ) : 
                                     $options['sp_content_title']; ?>            
-                            <h1><?php echo $sp_content_title ?></h1>
+                            <h1><?php echo esc_html( $sp_content_title ) ?></h1>
                             
                             <!--add the bio content (format it as desired in the post)-->
-                            <?php echo apply_filters( 'the_content', $bio ); ?>
+                            <!--NOTE: can't escape $bio - it could contain links, lists, formatting, etc entered by the site builder -->
+                            <?php echo wp_kses_post( apply_filters( 'the_content', $bio ) ); ?>
                         </div><!-- .player-bio -->
                                 

team-rosters/trunk/theme-templates/taxonomy-team.php

@@ -25 +25 @@
     $siteURL = "//".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
     
-    $parsedURL = parse_url( $siteURL, PHP_URL_QUERY );
+    $parsedURL = wp_parse_url( $siteURL, PHP_URL_QUERY );
     
     parse_str( $parsedURL, $atts );
@@ -82 +82 @@
     <div id="content-player-gallery" role="main" >
 
-    <header class="page-header page-header_<?php echo $team_slug ?>">
-        <?php echo "<h1 class='team-head-title team-head-title_$team_slug'>$team_name</h1>"; ?>
+    <header class="page-header page-header_<?php echo esc_html( $team_slug ) ?>">
+        <?php //echo "<h1 class='team-head-title team-head-title_$team_slug'>$team_name</h1>"; ?>
+        <?php echo "<h1 class='team-head-title team-head-title_", esc_html( $team_slug ), "'>", esc_html( $team_name ), "</h1>\n"; ?>
     </header>
 
     <?php   
-    //echo mstw_tr_build_gallery( $team_slug, $roster_type, $options );
-    echo mstw_tr_build_gallery( $team_slug, $roster_type, $attribs );
+    // mstw_tr_build_gallery() output is escaped in that function (includes/mstw-tr-utility-functions.php)
+    echo wp_kses_post( mstw_tr_build_gallery( $team_slug, $roster_type, $attribs ) );
     ?>