From 6846268aac8ef9563b2b7a52f41fe642ff94854d Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sat, 12 Mar 2022 17:04:58 +0100
Subject: Security: Escape band and venue name in concerts table.

---
 includes/admin/views/_concerts_table.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/admin/views/_concerts_table.php b/includes/admin/views/_concerts_table.php
index 484adca..885f0c0 100644
--- a/includes/admin/views/_concerts_table.php
+++ b/includes/admin/views/_concerts_table.php
@@ -298,8 +298,8 @@ if (!class_exists("GiglogAdmin_ConcertsTable"))
 
                 $content .=
                     "<td>" . date( 'd.M.Y', strtotime( $concert->cdate() ) ) . "</td>"
-                    . "<td>{$concert->cname()}</td>"
-                    . "<td>{$concert->venue()->name()}</td>";
+                    . "<td>" . esc_html($concert->cname()) . "</td>"
+                    . "<td>" . esc_html($concert->venue()->name()) . "</td>";
 
                 if( is_admin() ) {
                     $content .= '<td class="publishstatus">' . $this->mark_new_concert($concert) . '</td>';
-- 
cgit v1.2.3