From 921608c01ab530a2fbb3057e5ebbbcb2112698d4 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Thu, 10 Mar 2022 15:35:14 +0100
Subject: Security: Escape imported dates before outputing in error messages.

---
 includes/admin/views/giglog_import_gigs.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/includes/admin/views/giglog_import_gigs.php b/includes/admin/views/giglog_import_gigs.php
index afcc632..e68c07c 100644
--- a/includes/admin/views/giglog_import_gigs.php
+++ b/includes/admin/views/giglog_import_gigs.php
@@ -79,8 +79,7 @@ if ( !class_exists( 'GiglogAdmin_ImportGigsPage' ) ) {
                     //Below only checks if the date field is made of 4-2-2 digits, irregardless of their values. Actual date check is lower
                     if(  ! preg_match("/\d{4}\-\d{2}-\d{2}/",$resultArray[3]))
                     {
-                        $importerrors.= 'Row '.$rid.' has invalid date!'.$resultArray[3]."<br>";
-
+                        $importerrors.= 'Row '.$rid.' has invalid date!'.esc_html($resultArray[3])."<br>";
                         continue;
                     }
                     else {
@@ -99,7 +98,7 @@ if ( !class_exists( 'GiglogAdmin_ImportGigsPage' ) ) {
                         else {
                             $condate     = date('Y-m-d', strtotime($resultArray[3]));
                             if ($condate<date("Y-m-d")) {
-                                $importerrors.= 'Row '.$rid.' has date in the past!' .$resultArray[3]."<br>";
+                                $importerrors.= 'Row '.$rid.' has date in the past!' . esc_html($resultArray[3]) . "<br>";
                                 continue;
                             }
                             else {
-- 
cgit v1.2.3