XSS exploit prevention

- Calendar - Show Contents
- Playlist tooltip in Library page
- Adding track to a show
- Widgets
- Playlist/Webstream title and description
- Smart block expansion

airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml

@@ -1,3 +1,9 @@
+<?php 
+//XSS exploit prevention
+foreach ($this->md as $key => &$value) {
+    $value = $this->escape($value);
+}
+?>
 <?php if($this->type == "audioclip") : ?>
 <table class='library-track-md'>
 <tr><td><? echo _("Title:"); ?></td><td><?php echo ($this->md["MDATA_KEY_TITLE"]);?></td></tr>
@@ -41,9 +47,18 @@
 <span class='static'>o</span> <span><? echo _("Static Smart Block"); ?></span><br />
 <span>o</span> <span><? echo _("Audio Track"); ?></span>
 </div>
+
 <?php } ?>
 
     <?php if ($this->type == "playlist" || ($this->type == "block" && $this->blType == "Static")) {?>
+        <?php
+        //XSS exploit prevention
+        /*foreach ($this->contents as &$item) {
+            foreach ($item as $key => &$value) {
+                $value = $this->escape($value);
+            }
+        }*/
+        ?>
         <?php if ($this->type == "playlist") { ?>
             <div class='file-md-qtip-left'><span><? echo _("Playlist Contents: "); ?></span></div>
         <?php } else { ?>
@@ -88,9 +103,13 @@
     <?php } elseif ($this->blType == "Dynamic") { ?>
         <div class='file-md-qtip-left'><span><? echo _("Dynamic Smart Block Criteria: "); ?></span></div>
         <table class='library-get-file-md table-small'>
-        <?php foreach ($this->contents["crit"] as $criterias) : ?>
-            <?php foreach ($criterias as $crit ) : ?>
+        <?php foreach ($this->contents["crit"] as &$criterias) : ?>
+            <?php foreach ($criterias as &$crit ) : ?>
                 <?php
+                // XSS exploit prevention
+                //$crit["value"] = htmlspecialchars($crit["value"]);
+                //$crit["extra"] = htmlspecialchars($crit["extra"]);
+
                 $valMaxStrLen = 25;
                 if (strlen($crit["value"]) > $valMaxStrLen) {
                     $crit["value"] = substr($crit["value"], 0, 24)."...";

airtime_mvc/application/views/scripts/playlist/smart-block.phtml

@@ -39,7 +39,7 @@ if (isset($this->obj)) {
             <a id="playlist_name_display" contenteditable="true">
             <?php
                 if (isset($this->unsavedName)) echo $this->unsavedName;
-                else echo $this->obj->getName();
+                else echo $this->escape($this->obj->getName());
             ?>
             </a>
         </h3>

airtime_mvc/application/views/scripts/playlist/update.phtml

@@ -8,7 +8,6 @@ if ($item['type'] == 2) {
     $bl= new Application_Model_Block($item['item_id']);
     $staticBlock = $bl->isStatic();
 }
-$item["track_title"] = $this->escape($item["track_title"]);
 ?>
     <li class="ui-state-default" id="spl_<?php echo $item["id"] ?>" unqid="<?php echo $item["id"]; ?>">
         <div class="list-item-container">

airtime_mvc/application/views/scripts/webstream/webstream.phtml

@@ -29,7 +29,7 @@
     <div class="playlist_title">
         <div id="name-error" class="errors" style="display:none;"></div>
         <h3 id="ws_name">
-            <a id="playlist_name_display" contenteditable="true"><?php echo $this->obj->getName(); ?></a>
+            <a id="playlist_name_display" contenteditable="true"><?php echo $this->escape($this->obj->getName()); ?></a>
         </h3>
         <h4 id="ws_length"><?php echo $this->obj->getDefaultLength(); ?></h4>
     </div>