From 20a3f674b4e1642f62a55c00b87a7239f7c31912 Mon Sep 17 00:00:00 2001 From: denise Date: Mon, 4 Feb 2013 12:12:57 -0500 Subject: [PATCH] CC-4897: XSS exploit on library page -fixed where this was happening on Calendar - show content --- airtime_mvc/application/controllers/ScheduleController.php | 2 +- airtime_mvc/application/models/StoredFile.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/airtime_mvc/application/controllers/ScheduleController.php b/airtime_mvc/application/controllers/ScheduleController.php index 0b384911e..1f3216eed 100644 --- a/airtime_mvc/application/controllers/ScheduleController.php +++ b/airtime_mvc/application/controllers/ScheduleController.php @@ -479,7 +479,7 @@ class ScheduleController extends Zend_Controller_Action $this->view->percentFilled = $show->getPercentScheduled(); $this->view->showContent = $show->getShowListContent(); $this->view->dialog = $this->view->render('schedule/show-content-dialog.phtml'); - $this->view->showTitle = $show->getName(); + $this->view->showTitle = htmlspecialchars($show->getName()); unset($this->view->showContent); } diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php index cc0d64489..9e69f0d28 100644 --- a/airtime_mvc/application/models/StoredFile.php +++ b/airtime_mvc/application/models/StoredFile.php @@ -300,7 +300,7 @@ class Application_Model_StoredFile if (isset($dbmd_copy[$value])) { $propelColumn = $dbmd_copy[$value]; $method = "get$propelColumn"; - $md[$constant] = htmlspecialchars($this->_file->$method()); + $md[$constant] = $this->_file->$method(); } } }