diff --git a/airtime_mvc/application/controllers/LibraryController.php b/airtime_mvc/application/controllers/LibraryController.php
index 2b38349dd..1e3ac996a 100644
--- a/airtime_mvc/application/controllers/LibraryController.php
+++ b/airtime_mvc/application/controllers/LibraryController.php
@@ -385,6 +385,15 @@ class LibraryController extends Zend_Controller_Action
         //TODO move this to the datatables row callback.
         foreach ($r["aaData"] as &$data) {
 
+            foreach ($data as $k => &$v) {
+                if ($k != "image" && $k != "checkbox") {
+                    $v = htmlspecialchars($v);
+                }
+            }
+            //TODO: Replace the above foreach loop with the line below when ticket
+            //CC-4896 is completed.
+            //$data = array_map('htmlspecialchars', $data);
+
             if ($data['ftype'] == 'audioclip') {
                 $file = Application_Model_StoredFile::Recall($data['id']);
                 $scid = $file->getSoundCloudId();
diff --git a/airtime_mvc/application/controllers/UserController.php b/airtime_mvc/application/controllers/UserController.php
index 395156f97..3faa1477f 100644
--- a/airtime_mvc/application/controllers/UserController.php
+++ b/airtime_mvc/application/controllers/UserController.php
@@ -115,7 +115,7 @@ class UserController extends Zend_Controller_Action
         $post = $this->getRequest()->getPost();
         $users = Application_Model_User::getUsersDataTablesInfo($post);
 
-        die(json_encode($users));
+        $this->_helper->json->sendJson($users);
     }
 
     public function getUserDataAction()
diff --git a/airtime_mvc/application/layouts/scripts/layout.phtml b/airtime_mvc/application/layouts/scripts/layout.phtml
index 29d04c0d6..dedda7c88 100644
--- a/airtime_mvc/application/layouts/scripts/layout.phtml
+++ b/airtime_mvc/application/layouts/scripts/layout.phtml
@@ -24,7 +24,7 @@
     <div class="personal-block solo">
         <ul>
           <li>
-            <a id="current-user" href=<?php echo $baseUrl . "User/edit-user"?>><span class="name"><?php echo $this->loggedInAs()?></span></a> | <a href=<?php echo $baseUrl . "Login/logout"?>><?php echo _("Logout")?></a>
+            <a id="current-user" href=<?php echo $baseUrl . "User/edit-user"?>><span class="name"><?php echo $this->escape($this->loggedInAs()); ?></span></a> | <a href=<?php echo $baseUrl . "Login/logout"?>><?php echo _("Logout")?></a>
           </li>
         </ul>
     </div>
diff --git a/airtime_mvc/application/models/ShowBuilder.php b/airtime_mvc/application/models/ShowBuilder.php
index a1ef7c588..72a5f6ab0 100644
--- a/airtime_mvc/application/models/ShowBuilder.php
+++ b/airtime_mvc/application/models/ShowBuilder.php
@@ -227,7 +227,7 @@ class Application_Model_ShowBuilder
         $row["endDate"]   = $showEndDT->format("Y-m-d");
         $row["endTime"]   = $showEndDT->format("H:i");
         $row["duration"]  = floatval($showEndDT->format("U.u")) - floatval($showStartDT->format("U.u"));
-        $row["title"]     = $p_item["show_name"];
+        $row["title"]     = htmlspecialchars($p_item["show_name"]);
         $row["instance"]  = intval($p_item["si_id"]);
         $row["image"]     = '';
 
diff --git a/airtime_mvc/application/models/User.php b/airtime_mvc/application/models/User.php
index 63b82820a..97c9ca3ad 100644
--- a/airtime_mvc/application/models/User.php
+++ b/airtime_mvc/application/models/User.php
@@ -335,6 +335,8 @@ class Application_Model_User
             } else {
                 $record['delete'] = "";
             }
+
+            $record = array_map('htmlspecialchars', $record);
         }
 
         return $res;
diff --git a/airtime_mvc/application/views/scripts/form/edit-user.phtml b/airtime_mvc/application/views/scripts/form/edit-user.phtml
index cd4b70bd9..79a0081fc 100644
--- a/airtime_mvc/application/views/scripts/form/edit-user.phtml
+++ b/airtime_mvc/application/views/scripts/form/edit-user.phtml
@@ -1,4 +1,4 @@
-<h2><? echo sprintf(_("%s's Settings"), $this->currentUser) ?></h2>
+<h2><? echo sprintf(_("%s's Settings"), $this->escape($this->currentUser)) ?></h2>
 <div id="current-user-container">
 <form id="current-user-form" class="edit-user-global" method="post" enctype="application/x-www-form-urlencoded">
     <dl class="zend_form">
@@ -160,4 +160,4 @@
         <button type="submit" id="cu_save_user" class="btn btn-small right-floated"><?php echo _("Save")?></button>
     </dl>
 </form>
-</div>
\ No newline at end of file
+</div>
diff --git a/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml b/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
index 4889892dd..ad8e77797 100644
--- a/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
+++ b/airtime_mvc/application/views/scripts/form/preferences_watched_dirs.phtml
@@ -11,7 +11,7 @@
             <?php if($this->element->getElement('storageFolder')->hasErrors()) : ?>
                 <ul class='errors'>
                     <?php foreach($this->element->getElement('storageFolder')->getMessages() as $error): ?>
-                        <li><?php echo $error; ?></li>
+                        <li><?php echo $this->escape($error); ?></li>
                     <?php endforeach; ?>
                 </ul>
             <?php endif; ?>
@@ -29,7 +29,7 @@
             <?php if($this->element->getElement('watchedFolder')->hasErrors()) : ?>
                 <ul class='errors'>
                     <?php foreach($this->element->getElement('watchedFolder')->getMessages() as $error): ?>
-                        <li><?php echo $error; ?></li>
+                        <li><?php echo $this->escape($error); ?></li>
                     <?php endforeach; ?>
                 </ul>
             <?php endif; ?>
diff --git a/airtime_mvc/application/views/scripts/playlist/playlist.phtml b/airtime_mvc/application/views/scripts/playlist/playlist.phtml
index f8496d926..a516f2746 100644
--- a/airtime_mvc/application/views/scripts/playlist/playlist.phtml
+++ b/airtime_mvc/application/views/scripts/playlist/playlist.phtml
@@ -39,7 +39,7 @@ if (isset($this->obj)) {
     <input id='obj_type' type='hidden' value='playlist'></input>
     <div class="playlist_title">
         <h3 id="obj_name">
-            <a id="playlist_name_display" contenteditable="true"><?php echo $this->obj->getName(); ?></a>
+            <a id="playlist_name_display" contenteditable="true"><?php echo $this->escape($this->obj->getName()); ?></a>
         </h3>
         <h4 id="obj_length"><?php echo $this->length; ?></h4>
     </div>
diff --git a/airtime_mvc/public/js/airtime/preferences/streamsetting.js b/airtime_mvc/public/js/airtime/preferences/streamsetting.js
index 54bb986ca..6e76b693c 100644
--- a/airtime_mvc/public/js/airtime/preferences/streamsetting.js
+++ b/airtime_mvc/public/js/airtime/preferences/streamsetting.js
@@ -28,7 +28,7 @@ function rebuildStreamURL(ele){
     }else{
         streamurl = "http://"+host+":"+port+"/"
     }
-    div.find("#stream_url").html(streamurl)
+    div.find("#stream_url").text(streamurl)
 }
 function restrictOggBitrate(ele, on){
     var div = ele.closest("div")