From b4f6d9c766021c4b3285bdef97d29c25d5ed60fa Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sat, 12 Mar 2022 17:24:32 +0100
Subject: Security: Escape event and link urls before using.

---
 includes/admin/views/_concerts_table.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/admin/views/_concerts_table.php b/includes/admin/views/_concerts_table.php
index 26e5833..45d9196 100644
--- a/includes/admin/views/_concerts_table.php
+++ b/includes/admin/views/_concerts_table.php
@@ -322,8 +322,8 @@ if (!class_exists("GiglogAdmin_ConcertsTable"))
                     }
                 }
                 else {
-                    $content .= "<td><a target=\"_blank\" href=\"{$concert->eventlink()}\">Link</a></td>";
-                    $content .= "<td><a target=\"_blank\" href=\"{$concert->tickets()}\">Tickets</a></td>";
+                    $content .= "<td><a target=\"_blank\" href=\"" . esc_url($concert->eventlink()) . "\">Link</a></td>";
+                    $content .= "<td><a target=\"_blank\" href=\"" . esc_url($concert->tickets()) . "\">Tickets</a></td>";
                 }
 
                 $content .= '<td> <a href="'.get_admin_url().'admin-ajax.php?action=giglog_export_ical&evid='.$concert->id().'">iCal</td>';
-- 
cgit v1.2.3