diff --git a/airtime_mvc/application/controllers/ApiController.php b/airtime_mvc/application/controllers/ApiController.php
index 6bbe480da..62823103d 100644
--- a/airtime_mvc/application/controllers/ApiController.php
+++ b/airtime_mvc/application/controllers/ApiController.php
@@ -261,7 +261,14 @@ class ApiController extends Zend_Controller_Action
                                 "currentShow"=>Application_Model_Show::getCurrentShow($utcTimeNow),
                                 "nextShow"=>Application_Model_Show::getNextShows($utcTimeNow, $limit, $utcTimeEnd)
                             );
-
+                // XSS exploit prevention
+                foreach ($result["currentShow"] as &$current) {
+                    $current["name"] = htmlspecialchars($current["name"]);
+                }
+                foreach ($result["nextShow"] as &$next) {
+                    $next["name"] = htmlspecialchars($next["name"]);
+                }
+                
                 Application_Model_Show::convertToLocalTimeZone($result["currentShow"],
                         array("starts", "ends", "start_timestamp", "end_timestamp"));
                 Application_Model_Show::convertToLocalTimeZone($result["nextShow"],
@@ -269,6 +276,17 @@ class ApiController extends Zend_Controller_Action
             } else {
                 $result = Application_Model_Schedule::GetPlayOrderRange();
 
+                // XSS exploit prevention
+                $result["previous"]["name"] = htmlspecialchars($result["previous"]["name"]);
+                $result["current"]["name"] = htmlspecialchars($result["current"]["name"]);
+                $result["next"]["name"] = htmlspecialchars($result["next"]["name"]);
+                foreach ($result["currentShow"] as &$current) {
+                    $current["name"] = htmlspecialchars($current["name"]);
+                }
+                foreach ($result["nextShow"] as &$next) {
+                    $next["name"] = htmlspecialchars($next["name"]);
+                }
+
                 //Convert from UTC to localtime for Web Browser.
                 Application_Model_Show::ConvertToLocalTimeZone($result["currentShow"],
                         array("starts", "ends", "start_timestamp", "end_timestamp"));
@@ -315,7 +333,15 @@ class ApiController extends Zend_Controller_Action
 
                 $result[$dow[$i]] = $shows;
             }
-            
+
+            // XSS exploit prevention
+            foreach ($dow as $d) {
+                foreach ($result[$d] as &$show) {
+                    $show["name"] = htmlspecialchars($show["name"]);
+                    $show["url"] = htmlspecialchars($show["url"]);
+                }
+            }
+
             //used by caller to determine if the airtime they are running or widgets in use is out of date.
             $result['AIRTIME_API_VERSION'] = AIRTIME_API_VERSION;
             header("Content-type: text/javascript");
diff --git a/airtime_mvc/application/models/Block.php b/airtime_mvc/application/models/Block.php
index 7053e658d..ffe15ac56 100644
--- a/airtime_mvc/application/models/Block.php
+++ b/airtime_mvc/application/models/Block.php
@@ -257,6 +257,10 @@ SQL;
             //format original length
             $formatter = new LengthFormatter($row['orig_length']);
             $row['orig_length'] = $formatter->format();
+
+            // XSS exploit prevention
+            $row["track_title"] = htmlspecialchars($row["track_title"]);
+            $row["creator"] = htmlspecialchars($row["creator"]);
         }
 
         return $rows;
@@ -1241,7 +1245,7 @@ SQL;
         foreach ($out as $crit) {
             $criteria = $crit->getDbCriteria();
             $modifier = $crit->getDbModifier();
-            $value = $crit->getDbValue();
+            $value = htmlspecialchars($crit->getDbValue());
             $extra = $crit->getDbExtra();
 
             if ($criteria == "limit") {
diff --git a/airtime_mvc/application/models/Playlist.php b/airtime_mvc/application/models/Playlist.php
index 1c446f182..6745eecc6 100644
--- a/airtime_mvc/application/models/Playlist.php
+++ b/airtime_mvc/application/models/Playlist.php
@@ -269,6 +269,10 @@ SQL;
             //format original length
             $formatter = new LengthFormatter($row['orig_length']);
             $row['orig_length'] = $formatter->format();
+
+            // XSS exploit prevention
+            $row["track_title"] = htmlspecialchars($row["track_title"]);
+            $row["creator"] = htmlspecialchars($row["creator"]);
         }
 
         return $rows;
diff --git a/airtime_mvc/application/models/ShowBuilder.php b/airtime_mvc/application/models/ShowBuilder.php
index 72a5f6ab0..fd85487db 100644
--- a/airtime_mvc/application/models/ShowBuilder.php
+++ b/airtime_mvc/application/models/ShowBuilder.php
@@ -275,9 +275,9 @@ class Application_Model_ShowBuilder
             $formatter       = new LengthFormatter(Application_Common_DateHelper::ConvertMSToHHMMSSmm($run_time*1000));
             $row['runtime']  = $formatter->format();
 
-            $row["title"]    = $p_item["file_track_title"];
-            $row["creator"]  = $p_item["file_artist_name"];
-            $row["album"]    = $p_item["file_album_title"];
+            $row["title"]    = htmlspecialchars($p_item["file_track_title"]);
+            $row["creator"]  = htmlspecialchars($p_item["file_artist_name"]);
+            $row["album"]    = htmlspecialchars($p_item["file_album_title"]);
 
             $row["cuein"]    = $p_item["cue_in"];
             $row["cueout"]   = $p_item["cue_out"];
diff --git a/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml b/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml
index 4b1a38839..0e0d9cbcb 100644
--- a/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml
+++ b/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml
@@ -1,3 +1,9 @@
+<?php 
+//XSS exploit prevention
+foreach ($this->md as $key => &$value) {
+    $value = $this->escape($value);
+}
+?>
 <?php if($this->type == "audioclip") : ?>
 <table class='library-track-md'>
 <tr><td><? echo _("Title:"); ?></td><td><?php echo ($this->md["MDATA_KEY_TITLE"]);?></td></tr>
@@ -41,9 +47,18 @@
 <span class='static'>o</span> <span><? echo _("Static Smart Block"); ?></span><br />
 <span>o</span> <span><? echo _("Audio Track"); ?></span>
 </div>
+
 <?php } ?>
 
     <?php if ($this->type == "playlist" || ($this->type == "block" && $this->blType == "Static")) {?>
+        <?php
+        //XSS exploit prevention
+        /*foreach ($this->contents as &$item) {
+            foreach ($item as $key => &$value) {
+                $value = $this->escape($value);
+            }
+        }*/
+        ?>
         <?php if ($this->type == "playlist") { ?>
             <div class='file-md-qtip-left'><span><? echo _("Playlist Contents: "); ?></span></div>
         <?php } else { ?>
@@ -88,9 +103,13 @@
     <?php } elseif ($this->blType == "Dynamic") { ?>
         <div class='file-md-qtip-left'><span><? echo _("Dynamic Smart Block Criteria: "); ?></span></div>
         <table class='library-get-file-md table-small'>
-        <?php foreach ($this->contents["crit"] as $criterias) : ?>
-            <?php foreach ($criterias as $crit ) : ?>
+        <?php foreach ($this->contents["crit"] as &$criterias) : ?>
+            <?php foreach ($criterias as &$crit ) : ?>
                 <?php
+                // XSS exploit prevention
+                //$crit["value"] = htmlspecialchars($crit["value"]);
+                //$crit["extra"] = htmlspecialchars($crit["extra"]);
+
                 $valMaxStrLen = 25;
                 if (strlen($crit["value"]) > $valMaxStrLen) {
                     $crit["value"] = substr($crit["value"], 0, 24)."...";
diff --git a/airtime_mvc/application/views/scripts/playlist/smart-block.phtml b/airtime_mvc/application/views/scripts/playlist/smart-block.phtml
index b1ca48da5..59ea2ce95 100644
--- a/airtime_mvc/application/views/scripts/playlist/smart-block.phtml
+++ b/airtime_mvc/application/views/scripts/playlist/smart-block.phtml
@@ -39,7 +39,7 @@ if (isset($this->obj)) {
             <a id="playlist_name_display" contenteditable="true">
             <?php
                 if (isset($this->unsavedName)) echo $this->unsavedName;
-                else echo $this->obj->getName();
+                else echo $this->escape($this->obj->getName());
             ?>
             </a>
         </h3>
diff --git a/airtime_mvc/application/views/scripts/playlist/update.phtml b/airtime_mvc/application/views/scripts/playlist/update.phtml
index a3a5b5b28..20ef17665 100644
--- a/airtime_mvc/application/views/scripts/playlist/update.phtml
+++ b/airtime_mvc/application/views/scripts/playlist/update.phtml
@@ -8,7 +8,6 @@ if ($item['type'] == 2) {
     $bl= new Application_Model_Block($item['item_id']);
     $staticBlock = $bl->isStatic();
 }
-$item["track_title"] = $this->escape($item["track_title"]);
 ?>
     <li class="ui-state-default" id="spl_<?php echo $item["id"] ?>" unqid="<?php echo $item["id"]; ?>">
         <div class="list-item-container">
diff --git a/airtime_mvc/application/views/scripts/webstream/webstream.phtml b/airtime_mvc/application/views/scripts/webstream/webstream.phtml
index 34131aabd..1c3657a75 100644
--- a/airtime_mvc/application/views/scripts/webstream/webstream.phtml
+++ b/airtime_mvc/application/views/scripts/webstream/webstream.phtml
@@ -29,7 +29,7 @@
     <div class="playlist_title">
         <div id="name-error" class="errors" style="display:none;"></div>
         <h3 id="ws_name">
-            <a id="playlist_name_display" contenteditable="true"><?php echo $this->obj->getName(); ?></a>
+            <a id="playlist_name_display" contenteditable="true"><?php echo $this->escape($this->obj->getName()); ?></a>
         </h3>
         <h4 id="ws_length"><?php echo $this->obj->getDefaultLength(); ?></h4>
     </div>