From b45f71e8f9eb0806beb936d01d820df1481b7990 Mon Sep 17 00:00:00 2001
From: denise <denise@denise-DX4860sourcefabric.org>
Date: Mon, 4 Feb 2013 12:44:14 -0500
Subject: [PATCH] CC-4897: XSS exploit on library page

---
 airtime_mvc/application/models/StoredFile.php               | 2 +-
 airtime_mvc/application/views/scripts/playlist/update.phtml | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/airtime_mvc/application/models/StoredFile.php b/airtime_mvc/application/models/StoredFile.php
index 9e69f0d28..9ca6ff32c 100644
--- a/airtime_mvc/application/models/StoredFile.php
+++ b/airtime_mvc/application/models/StoredFile.php
@@ -269,7 +269,7 @@ class Application_Model_StoredFile
         $md = array();
         foreach ($this->_dbMD as $dbColumn => $propelColumn) {
             $method = "get$propelColumn";
-            $md[$dbColumn] = htmlspecialchars($this->_file->$method());
+            $md[$dbColumn] = $this->_file->$method();
         }
 
         return $md;
diff --git a/airtime_mvc/application/views/scripts/playlist/update.phtml b/airtime_mvc/application/views/scripts/playlist/update.phtml
index 20ef17665..a3a5b5b28 100644
--- a/airtime_mvc/application/views/scripts/playlist/update.phtml
+++ b/airtime_mvc/application/views/scripts/playlist/update.phtml
@@ -8,6 +8,7 @@ if ($item['type'] == 2) {
     $bl= new Application_Model_Block($item['item_id']);
     $staticBlock = $bl->isStatic();
 }
+$item["track_title"] = $this->escape($item["track_title"]);
 ?>
     <li class="ui-state-default" id="spl_<?php echo $item["id"] ?>" unqid="<?php echo $item["id"]; ?>">
         <div class="list-item-container">