From 42fd118658dacc6b211f7326ea351807b1a6e6cf Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Mon, 6 Jul 2015 18:05:05 -0400 Subject: [PATCH 1/2] Comment out table level lock (it can cause dead locks in some edge cases) --- airtime_mvc/application/models/Preference.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/airtime_mvc/application/models/Preference.php b/airtime_mvc/application/models/Preference.php index ec8b49a3c..736dbef98 100644 --- a/airtime_mvc/application/models/Preference.php +++ b/airtime_mvc/application/models/Preference.php @@ -31,7 +31,8 @@ class Application_Model_Preference $con->beginTransaction(); try { - static::_lock($con); + /* Comment this out while we reevaluate it in favor of a unique constraint + static::_lock($con); */ $userId = self::getUserId(); if ($isUserValue && is_null($userId)) { From 1efa591d67ffe996d46da2cf2e93d1f066d56093 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Thu, 9 Jul 2015 12:49:49 -0400 Subject: [PATCH 2/2] Fixed double HTML encoding on embedded schedule widget --- airtime_mvc/application/common/WidgetHelper.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/airtime_mvc/application/common/WidgetHelper.php b/airtime_mvc/application/common/WidgetHelper.php index 8be23e200..fe36ee317 100644 --- a/airtime_mvc/application/common/WidgetHelper.php +++ b/airtime_mvc/application/common/WidgetHelper.php @@ -69,6 +69,8 @@ class WidgetHelper * We don't do any timezone conversion in this function on purpose. All timezone conversion * and show time ordering should be done on the frontend. * + * *** This function does no HTML encoding. It is up to the caller to escape or encode the data appropriately. + * * @return array */ public static function getWeekInfoV2() @@ -139,9 +141,6 @@ class WidgetHelper } $result["shows"] = $shows; - // XSS exploit prevention - SecurityHelper::htmlescape_recursive($result); - // convert image paths to point to api endpoints //TODO: do we need this here? self::findAndConvertPaths($result);