From 08e787a5d6739321e32840c38e0363e85c600128 Mon Sep 17 00:00:00 2001
From: Sha Sha Chu <shashachu@gmail.com>
Date: Wed, 1 May 2024 19:22:09 -0700
Subject: [PATCH] EM 5.12 upgrade

---
 admin/em-options.php                          |  1 -
 classes/em-event.php                          |  8 ++++--
 classes/em-events.php                         |  6 ++++-
 classes/em-taxonomy-frontend.php              |  9 +++++++
 classes/em-ticket.php                         |  3 ++-
 .../event-locations/em-event-location-url.php | 10 ++++---
 classes/event-locations/em-event-location.php | 14 +++++++---
 em-functions.php                              | 27 ++++++++++---------
 events-manager.php                            |  9 +++++--
 readme.txt                                    | 20 ++++++++++++--
 templates/forms/event/attributes-public.php   | 10 +++----
 .../forms/location/attributes-public.php      | 10 +++----
 templates/templates/events-search.php         |  4 +--
 templates/templates/ical.php                  |  5 ++++
 templates/templates/search/geo-units.php      |  2 +-
 15 files changed, 97 insertions(+), 41 deletions(-)

diff --git a/admin/em-options.php b/admin/em-options.php
index d52412d..ec1db12 100644
--- a/admin/em-options.php
+++ b/admin/em-options.php
@@ -9,7 +9,6 @@ function em_options_save(){
 	 */
 	if( current_user_can('manage_options') && !empty($_POST['em-submitted']) && check_admin_referer('events-manager-options','_wpnonce') ){
 		//Build the array of options here
-		$post = $_POST;
 		foreach ($_POST as $postKey => $postValue){
 			if( $postKey != 'dbem_data' && substr($postKey, 0, 5) == 'dbem_' ){
 				//TODO some more validation/reporting
diff --git a/classes/em-event.php b/classes/em-event.php
index 9d80dd4..92c6171 100644
--- a/classes/em-event.php
+++ b/classes/em-event.php
@@ -2363,7 +2363,7 @@ function output($format, $target="html") {
 				case '#_24HENDTIME_LOCAL':
 				case '#_24HTIMES_LOCAL':
 					$ts = ($result == '#_24HENDTIME_LOCAL') ? $this->end()->getTimestamp():$this->start()->getTimestamp();
-					$date_end = ($result == '#_24HTIMES_LOCAL' && $this->end()->getTimestamp() !== $ts) ? 'data-time-end="'. esc_attr($this->end()->getTimestamp()) .'" data-separator="'. esc_attr(get_option('dbem_times_separator')) . '"' : '';
+					$date_end = ($result == '#_24HTIMES_LOCAL' && $this->event_start_time !== $this->event_end_time) ? 'data-time-end="'. esc_attr($this->end()->getTimestamp()) .'" data-separator="'. esc_attr(get_option('dbem_times_separator')) . '"' : '';
 					$replace = '<span class="em-time-localjs" data-time-format="24"  data-time="'. esc_attr($ts) .'" '. $date_end .'>JavaScript Disabled</span>';
 					break;
 				case '#_12HSTARTTIME':
@@ -2418,9 +2418,13 @@ function output($format, $target="html") {
 							}
 							if( $result === '#_EVENTDATES_LOCAL' ){
 								$time_format = ( get_option('dbem_date_format') ) ? get_option('dbem_date_format'):get_option('date_format');
+								$start_time = $this->start()->getTimestamp();
+								$end_time = $this->event_start_date == $this->event_end_date ? $start_time : $this->end()->getTimestamp();
 								if( empty($separator) ) $separator = get_option('dbem_dates_separator');
 							}else{
 								$time_format = ( get_option('dbem_time_format') ) ? get_option('dbem_time_format'):get_option('time_format');
+								$start_time = $this->start()->getTimestamp();
+								$end_time = $this->event_start_time == $this->event_end_time ? $start_time : $this->end()->getTimestamp();
 								if( empty($separator) ) $separator = get_option('dbem_times_separator');
 							}
 							$time_format = strtr($time_format, $replacements);
@@ -2429,7 +2433,7 @@ function output($format, $target="html") {
 						// start output
 						ob_start();
 						?>
-						<span class="em-date-momentjs" data-date-format="<?php echo esc_attr($time_format); ?>" data-date-start="<?php echo $this->start()->getTimestamp() ?>" data-date-end="<?php echo $this->end()->getTimestamp() ?>" data-date-separator="<?php echo esc_attr($separator); ?>">JavaScript Disabled</span>
+						<span class="em-date-momentjs" data-date-format="<?php echo esc_attr($time_format); ?>" data-date-start="<?php echo $start_time ?>" data-date-end="<?php echo $end_time ?>" data-date-separator="<?php echo esc_attr($separator); ?>">JavaScript Disabled</span>
 						<?php
 						$replace = ob_get_clean();
 					}
diff --git a/classes/em-events.php b/classes/em-events.php
index 7a77eb3..d076383 100644
--- a/classes/em-events.php
+++ b/classes/em-events.php
@@ -395,6 +395,7 @@ public static function output_grouped( $args = array() ){
 							}
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $year => $events){
 						$EM_DateTime = new EM_DateTime($year.'-01-01');
 						echo str_replace('#s', $EM_DateTime->i18n($format), $args['header_format']);
@@ -417,6 +418,7 @@ public static function output_grouped( $args = array() ){
 							}
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $month => $events){
 						$EM_DateTime = new EM_DateTime($month);
 						echo str_replace('#s', $EM_DateTime->i18n($format), $args['header_format']);
@@ -443,6 +445,7 @@ public static function output_grouped( $args = array() ){
 							}while( $EM_DateTime <= $EM_Event->end() );
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $date => $events){
 						$dates_formatted = $EM_DateTime->modify($date)->i18n($format). get_option('dbem_dates_separator') . $EM_DateTime->add('P6D')->i18n($format);
 						echo str_replace('#s', $dates_formatted, $args['header_format']);
@@ -465,6 +468,7 @@ public static function output_grouped( $args = array() ){
 							}while( $EM_DateTime <= $EM_Event->end() );
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $date => $events){
 						echo str_replace('#s', $EM_DateTime->modify($date)->i18n($format), $args['header_format']);
 						echo self::output($events, $atts);
@@ -478,7 +482,7 @@ public static function output_grouped( $args = array() ){
 		}elseif( $args['no_results_msg'] !== false ){
 			echo !empty($args['no_results_msg']) ? $args['no_results_msg'] : get_option('dbem_no_events_message');
 		}
-		return ob_get_clean();
+		return apply_filters('em_events_output_grouped', ob_get_clean(), $events, $args);
 	}
 	
 	public static function get_pagination_links($args, $count, $search_action = 'search_events', $default_args = array()){
diff --git a/classes/em-taxonomy-frontend.php b/classes/em-taxonomy-frontend.php
index 4a17499..b5ab611 100644
--- a/classes/em-taxonomy-frontend.php
+++ b/classes/em-taxonomy-frontend.php
@@ -83,6 +83,15 @@ public static function template($template = ''){
 			//sort out filters
 			add_filter('wp_head', 'EM_Taxonomy_Frontend::remove_em_the_content', 10000);
 			add_filter('the_content', array(self::$this_class,'the_content')); //come in slightly early and consider other plugins
+			// Meta Tag Manager Tweaks
+			if( defined('MTM_VERSION') ) {
+				add_filter('mtm_is_taxonomy_page', '__return_true');
+				add_filter('mtm_is_cpt_page', '__return_false');
+				add_filter('mtm_get_queried_object', function(){
+					global $em_the_query;
+					return $em_the_query->get_queried_object();
+				});
+			}
 			//Yoast WP SEO Tweals
 			if( defined('WPSEO_VERSION') ){
 				add_filter('wpseo_breadcrumb_links',array(self::$this_class,'wpseo_breadcrumb_links'));
diff --git a/classes/em-ticket.php b/classes/em-ticket.php
index 3608334..a3e549c 100644
--- a/classes/em-ticket.php
+++ b/classes/em-ticket.php
@@ -341,6 +341,7 @@ function validate(){
 	}
 	
 	function is_available( $ignore_member_restrictions = false, $ignore_guest_restrictions = false ){
+		if( EM_Bookings::$disable_restrictions ) return true; // complete short-circuit
 		if( isset($this->is_available) && !$ignore_member_restrictions && !$ignore_guest_restrictions ) return apply_filters('em_ticket_is_available',  $this->is_available, $this); //save extra queries if doing a standard check
 		$is_available = false;
 		$EM_Event = $this->get_event();
@@ -350,7 +351,7 @@ function is_available( $ignore_member_restrictions = false, $ignore_guest_restri
 		$condition_3 = $EM_Event->rsvp_end()->getTimestamp() > time(); //either defined ending rsvp time, or start datetime is used here
 		$condition_4 = !$this->ticket_members || ($this->ticket_members && is_user_logged_in()) || $ignore_member_restrictions;
 		$condition_5 = true;
-		if( !$ignore_member_restrictions && !EM_Bookings::$disable_restrictions && $this->ticket_members && !empty($this->ticket_members_roles) ){
+		if( !$ignore_member_restrictions && $this->ticket_members && !empty($this->ticket_members_roles) ){
 			//check if user has the right role to use this ticket
 			$condition_5 = false;
 			if( is_user_logged_in() ){
diff --git a/classes/event-locations/em-event-location-url.php b/classes/event-locations/em-event-location-url.php
index c89f3a9..5d8707d 100644
--- a/classes/event-locations/em-event-location-url.php
+++ b/classes/event-locations/em-event-location-url.php
@@ -21,11 +21,11 @@ public function get_post(){
 		if( !empty($_POST['event_location_url_text']) ){
 			$this->data['text'] = sanitize_text_field($_POST['event_location_url_text']);
 		}
-		return $return;
+		return apply_filters('em_event_location_url_get_post', $return, $this);
 	}
 	
 	public function validate(){
-		$result = false;
+		$result = parent::validate();
 		if( empty($this->data['url']) ){
 			$this->event->add_error( __('Please enter a valid URL for this event location.', 'events-manager') );
 			$result = false;
@@ -34,7 +34,7 @@ public function validate(){
 			$this->event->add_error( __('Please provide some link text for this event location URL.', 'events-manager') );
 			$result = false;
 		}
-		return $result;
+		return apply_filters('em_event_location_url_validate', $result, $this);
 	}
 	
 	public function get_link( $new_target = true ){
@@ -68,5 +68,9 @@ public function output( $what = null, $target = null ){
 			return parent::output($what);
 		}
 	}
+	
+	public function get_ical_location(){
+		return $this->url;
+	}
 }
 URL::init();
\ No newline at end of file
diff --git a/classes/event-locations/em-event-location.php b/classes/event-locations/em-event-location.php
index 6001f1c..594890a 100644
--- a/classes/event-locations/em-event-location.php
+++ b/classes/event-locations/em-event-location.php
@@ -103,6 +103,7 @@ public function load_postdata( $event_meta = array(), $reload = false ){
 				$this->data[$key] = maybe_unserialize($this->data[$key]);
 			}
 		}
+		do_action('em_event_location_load_postdata', $this);
 	}
 	
 	/**
@@ -111,14 +112,14 @@ public function load_postdata( $event_meta = array(), $reload = false ){
 	 */
 	public function get_post(){
 		$this->data = array();
-		return true;
+		return apply_filters('em_event_location_get_post', true, $this);
 	}
 	
 	/**
 	 * @return boolean
 	 */
 	public function validate(){
-		return false;
+		return apply_filters('em_event_location_validate', false, $this);
 	}
 	
 	public function save(){
@@ -133,13 +134,14 @@ public function save(){
 				}
 			}
 		}
-		return true;
+		return apply_filters('em_event_location_save', true, $this);
 	}
 	
 	public function delete(){
 		$this->reset_data();
 		$this->data = array();
-		return true;
+		do_action('em_event_location_deleted', $this);
+		return apply_filters('em_event_location_delete', true, $this);
 	}
 	
 	/**
@@ -199,6 +201,10 @@ public function output( $what = null, $target = null ){
 			return static::get_label();
 		}
 	}
+	
+	public function get_ical_location(){
+		return false;
+	}
 }
 
 //include default Event Locations
diff --git a/em-functions.php b/em-functions.php
index 39f48c0..47b256d 100644
--- a/em-functions.php
+++ b/em-functions.php
@@ -615,20 +615,23 @@ function em_get_search_form_defaults($args = array()){
 	//merge defaults with supplied arguments 
 	$args = array_merge($search_args, $args);
 	//overwrite with $_REQUEST defaults in event of a submitted search
-	if( isset($_REQUEST['geo']) ) $args['geo'] = $_REQUEST['geo']; //if geo search string requested, use that for search form
-	if( isset($_REQUEST['near']) ) $args['near'] = wp_unslash($_REQUEST['near']); //if geo search string requested, use that for search form
-	if( isset($_REQUEST['em_search']) ) $args['search'] = wp_unslash($_REQUEST['em_search']); //if geo search string requested, use that for search form
-	if( isset($_REQUEST['category']) ) $args['category'] = $_REQUEST['category']; //if state requested, use that for searching
-	if( isset($_REQUEST['country']) ) $args['country'] = wp_unslash($_REQUEST['country']); //if country requested, use that for searching
-	if( isset($_REQUEST['region']) ) $args['region'] = wp_unslash($_REQUEST['region']); //if region requested, use that for searching
-	if( isset($_REQUEST['state']) ) $args['state'] = wp_unslash($_REQUEST['state']); //if state requested, use that for searching
-	if( isset($_REQUEST['town']) ) $args['town'] = wp_unslash($_REQUEST['town']); //if state requested, use that for searching
-	if( isset($_REQUEST['near_unit']) ) $args['near_unit'] = $_REQUEST['near_unit']; //if state requested, use that for searching
-	if( isset($_REQUEST['near_distance']) ) $args['near_distance'] = $_REQUEST['near_distance']; //if state requested, use that for searching
+	if( isset($_REQUEST['geo']) ) $args['geo'] = sanitize_text_field($_REQUEST['geo']); //if geo search string requested, use that for search form
+	if( isset($_REQUEST['near']) ) $args['near'] = sanitize_text_field(wp_unslash($_REQUEST['near'])); //if geo search string requested, use that for search form
+	if( isset($_REQUEST['em_search']) ) $args['search'] = sanitize_text_field(wp_unslash($_REQUEST['em_search'])); //if geo search string requested, use that for search form
+	if( isset($_REQUEST['category']) ) $args['category'] = sanitize_text_field($_REQUEST['category']); //if category requested, use that for searching
+	if( isset($_REQUEST['country']) ) $args['country'] = sanitize_text_field(wp_unslash($_REQUEST['country'])); //if country requested, use that for searching
+	if( isset($_REQUEST['region']) ) $args['region'] = sanitize_text_field(wp_unslash($_REQUEST['region'])); //if region requested, use that for searching
+	if( isset($_REQUEST['state']) ) $args['state'] = sanitize_text_field(wp_unslash($_REQUEST['state'])); //if state requested, use that for searching
+	if( isset($_REQUEST['town']) ) $args['town'] = sanitize_text_field(wp_unslash($_REQUEST['town'])); //if state requested, use that for searching
+	if( isset($_REQUEST['near_unit']) ) $args['near_unit'] = sanitize_text_field($_REQUEST['near_unit']); //if state requested, use that for searching
+	if( isset($_REQUEST['near_distance']) ) $args['near_distance'] = sanitize_text_field($_REQUEST['near_distance']); //if state requested, use that for searching
 	if( !empty($_REQUEST['scope']) && !is_array($_REQUEST['scope'])){ 
-		$args['scope'] = explode(',',$_REQUEST['scope']); //convert scope to an array in event of pagination 
+		$args['scope'] = explode(',',sanitize_text_field($_REQUEST['scope'])); //convert scope to an array in event of pagination
 	}elseif( !empty($_REQUEST['scope']) ){
-		$args['scope'] = $_REQUEST['scope'];
+		$args['scope'] = array(); // reset and populate sanitized
+		foreach( $_REQUEST['scope'] as $k => $v ){
+			$args['scope'][absint($k)] = sanitize_text_field($v);
+		}
 	}
 	return $args;
 }
diff --git a/events-manager.php b/events-manager.php
index bc951e3..1f27814 100644
--- a/events-manager.php
+++ b/events-manager.php
@@ -1,7 +1,7 @@
 <?php
 /*
 Plugin Name: GGG Events Manager
-Version: 5.11.1
+Version: 5.12.2
 Plugin URI: https://github.com/shashachu/ggg-events-manager/
 Description: Customized version of the Events Manager plugin by Marcus Sykes, tailored towards trooping signups for the Golden Gate Garrison.
 Author: Marcus Sykes, Sha Sha Chu
@@ -40,7 +40,7 @@
 $myUpdateChecker->getVcsApi()->enableReleaseAssets();
 
 // Setting constants
-define('EM_VERSION', 5.99911); //self expanatory, although version currently may not correspond directly with published version number. until 6.0 we're stuck updating 5.999.x
+define('EM_VERSION', 5.99912); //self expanatory, although version currently may not correspond directly with published version number. until 6.0 we're stuck updating 5.999.x
 define('EM_PRO_MIN_VERSION', 2.6712); //self expanatory
 define('EM_PRO_MIN_VERSION_CRITICAL', 2.377); //self expanatory
 define('EM_DIR', dirname( __FILE__ )); //an absolute path to this directory
@@ -337,6 +337,11 @@ public static function public_enqueue() {
 	
 	public static function admin_enqueue( $hook_suffix = false ){
 		if( $hook_suffix == 'post.php' || (!empty($_GET['page']) && substr($_GET['page'],0,14) == 'events-manager') || (!empty($_GET['post_type']) && in_array($_GET['post_type'], array(EM_POST_TYPE_EVENT,EM_POST_TYPE_LOCATION,'event-recurring'))) ){
+			if( $hook_suffix == 'post.php' && empty($_GET['post_type']) && !empty($_GET['post']) ){
+				// don't load if the post being edited isn't an EM one
+				$post = get_post($_GET['post']);
+				if( !in_array($post->post_type, array(EM_POST_TYPE_EVENT,EM_POST_TYPE_LOCATION,'event-recurring')) ) return;
+			}
 			wp_enqueue_style( 'wp-color-picker' );
 			wp_enqueue_script('events-manager', plugins_url('includes/js/events-manager.js',__FILE__), array('jquery', 'jquery-ui-core','jquery-ui-widget','jquery-ui-position','jquery-ui-sortable','jquery-ui-datepicker','jquery-ui-autocomplete','jquery-ui-dialog','wp-color-picker'), EM_VERSION);
 		    do_action('em_enqueue_admin_scripts');
diff --git a/readme.txt b/readme.txt
index 9dc9488..a4b4e53 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,8 +4,8 @@ Donate link: http://wp-events-plugin.com
 Tags: bookings, calendar, tickets, events, buddypress, event management, google maps, maps, locations, registration, zoom
 Text Domain: events-manager
 Requires at least: 5.2
-Tested up to: 5.8
-Stable tag: 5.11.1
+Tested up to: 6.0
+Stable tag: 5.12.1
 Requires PHP: 5.3
 
 Fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management
@@ -119,6 +119,22 @@ See our [FAQ](http://wp-events-plugin.com/documentation/faq/) page, which is upd
 6. Manage attendees with various booking reports
 
 == Changelog ==
+= 5.12.2 =
+* 5.12.1 with GGG mods
+
+= 5.12.1 =
+* fixed issue with scope sanitization preventing search form searching by date range
+* added limitation to prevent JS loading on non-EM post type editors to potentially help prevent 3rd party conflicts
+* added support for event location displaying url or other custom info for the ical LOCATION property
+
+= 5.12 =
+* changed EM_Booking::$disable_restricions so that all ticket restrictions can ignored for admin manual bookings (pro feature) including spaces, roles and dates
+* added taxonomy filters for Meta Tag Manager compatibility on overriden taxonomy pages
+* added filters to Event_Locations\Event_Location and Event_Locations\URL
+* added filters to EM_Events::output_grouped()
+* fixed #_EVENTDATES_LOCAL and #_24HHTIMES_LOCAL showing time/date range even if time/dates are the same
+* fixed XSS security vulnerability reported by/via WP Plugins team
+
 = 5.11.1 =
 * 5.11 with GGG mods
 
diff --git a/templates/forms/event/attributes-public.php b/templates/forms/event/attributes-public.php
index 6936710..71c962c 100755
--- a/templates/forms/event/attributes-public.php
+++ b/templates/forms/event/attributes-public.php
@@ -11,19 +11,19 @@
 <?php if( count( $attributes['names'] ) > 0 ) : ?>
 	<?php foreach( $attributes['names'] as $name) : ?>
 	<div class="event-attributes">
-		<label for="em_attributes[<?php echo $name ?>]"><?php echo $name ?></label>
+		<label for="em_attributes[<?php echo esc_attr($name) ?>]"><?php echo esc_html($name) ?></label>
 		<?php if( count($attributes['values'][$name]) > 1 ): ?>
-		<select name="em_attributes[<?php echo $name ?>]">
+		<select name="em_attributes[<?php echo esc_html($name) ?>]">
 			<?php foreach($attributes['values'][$name] as $attribute_val): ?>
 				<?php if( is_array($EM_Event->event_attributes) && array_key_exists($name, $EM_Event->event_attributes) && $EM_Event->event_attributes[$name]==$attribute_val ): ?>
-					<option selected="selected"><?php echo $attribute_val; ?></option>
+					<option selected="selected"><?php echo esc_html($attribute_val); ?></option>
 				<?php else: ?>
-					<option><?php echo $attribute_val; ?></option>
+					<option><?php echo esc_html($attribute_val); ?></option>
 				<?php endif; ?>
 			<?php endforeach; ?>
 		</select>
 		<?php else: ?>
-		<input type="text" name="em_attributes[<?php echo $name ?>]" value="<?php echo array_key_exists($name, $EM_Event->event_attributes) ? esc_attr($EM_Event->event_attributes[$name], ENT_QUOTES):''; ?>" />
+		<input type="text" name="em_attributes[<?php echo esc_attr($name) ?>]" value="<?php echo array_key_exists($name, $EM_Event->event_attributes) ? esc_attr($EM_Event->event_attributes[$name]):''; ?>" />
 		<?php endif; ?>
 	</div>
 	<?php endforeach; ?>
diff --git a/templates/forms/location/attributes-public.php b/templates/forms/location/attributes-public.php
index 654b60b..e4f8140 100755
--- a/templates/forms/location/attributes-public.php
+++ b/templates/forms/location/attributes-public.php
@@ -11,19 +11,19 @@
 <?php if( count( $attributes['names'] ) > 0 ) : ?>
 	<?php foreach( $attributes['names'] as $name) : ?>
 	<div class="location-attributes">
-		<label for="em_attributes[<?php echo $name ?>]"><?php echo $name ?></label>
+		<label for="em_attributes[<?php echo esc_attr($name) ?>]"><?php echo esc_html($name); ?></label>
 		<?php if( count($attributes['values'][$name]) > 1 ): ?>
-		<select name="em_attributes[<?php echo $name ?>]">
+		<select name="em_attributes[<?php echo esc_attr($name); ?>]">
 			<?php foreach($attributes['values'][$name] as $attribute_val): ?>
 				<?php if( is_array($EM_Location->location_attributes) && array_key_exists($name, $EM_Location->location_attributes) && $EM_Location->location_attributes[$name]==$attribute_val ): ?>
-					<option selected="selected"><?php echo $attribute_val; ?></option>
+					<option selected="selected"><?php echo esc_html($attribute_val); ?></option>
 				<?php else: ?>
-					<option><?php echo $attribute_val; ?></option>
+					<option><?php echo esc_html($attribute_val); ?></option>
 				<?php endif; ?>
 			<?php endforeach; ?>
 		</select>
 		<?php else: ?>
-		<input type="text" name="em_attributes[<?php echo $name ?>]" value="<?php echo array_key_exists($name, $EM_Location->location_attributes) ? esc_attr($EM_Location->location_attributes[$name], ENT_QUOTES):''; ?>" />
+		<input type="text" name="em_attributes[<?php echo esc_attr($name) ?>]" value="<?php echo array_key_exists($name, $EM_Location->location_attributes) ? esc_attr($EM_Location->location_attributes[$name], ENT_QUOTES):''; ?>" />
 		<?php endif; ?>
 	</div>
 	<?php endforeach; ?>
diff --git a/templates/templates/events-search.php b/templates/templates/events-search.php
index 0921bfe..35bc9e2 100644
--- a/templates/templates/events-search.php
+++ b/templates/templates/events-search.php
@@ -60,8 +60,8 @@
 		<input type="hidden" name="country" value="<?php echo esc_attr($args['country']) ?>" />
 		<?php endif; ?>
 		<?php if( empty($args['show_advanced']) || empty($args['search_geo_units']) ): //show country in hidden field for geo searching ?>
-		    <?php if( !empty($args['near_distance']) ) : ?><input name="near_distance" type="hidden" value="<?php echo $args['near_distance']; ?>" /><?php endif; ?>
-		    <?php if( !empty($args['near_unit']) ) : ?><input name="near_unit" type="hidden" value="<?php echo $args['near_unit']; ?>" /><?php endif; ?>
+		    <?php if( !empty($args['near_distance']) ) : ?><input name="near_distance" type="hidden" value="<?php echo esc_attr($args['near_distance']); ?>" /><?php endif; ?>
+		    <?php if( !empty($args['near_unit']) ) : ?><input name="near_unit" type="hidden" value="<?php echo esc_attr($args['near_unit']); ?>" /><?php endif; ?>
 		<?php endif; ?>
 	</form>
 </div>
diff --git a/templates/templates/ical.php b/templates/templates/ical.php
index b64e77d..c8aad16 100644
--- a/templates/templates/ical.php
+++ b/templates/templates/ical.php
@@ -99,6 +99,11 @@
 				$apple_structured_location = str_replace('"', '\"', $apple_structured_location); //google chucks a wobbly with these on this line
 				$apple_structured_location = em_mb_ical_wordwrap($apple_structured_location);
 			}
+		}elseif( $EM_Event->has_event_location() ){
+			$ical_location = $EM_Event->get_event_location()->get_ical_location();
+			if( $ical_location ){
+				$location = em_mb_ical_wordwrap('LOCATION:'.$ical_location);
+			}
 		}
 		$categories = array();
 		foreach( $EM_Event->get_categories() as $EM_Category ){ /* @var EM_Category $EM_Category */
diff --git a/templates/templates/search/geo-units.php b/templates/templates/search/geo-units.php
index b276c22..bd65bc2 100755
--- a/templates/templates/search/geo-units.php
+++ b/templates/templates/search/geo-units.php
@@ -5,7 +5,7 @@
 		<span><?php echo esc_html($args['geo_units_label']); ?></span>
 		<select name="near_distance" class="em-search-geo-distance">
 		    <?php foreach( $args['geo_distance_values'] as $unit ) : ?>
-			<option value="<?php echo $unit; ?>" <?php if($args['near_distance'] == $unit) echo 'selected="selected"' ?>><?php echo $unit; ?></option>
+			<option value="<?php echo esc_attr($unit); ?>" <?php if($args['near_distance'] == $unit) echo 'selected="selected"' ?>><?php echo esc_html($unit); ?></option>
 			<?php endforeach; ?>
 		</select>
 	</label>