diff --git a/Changelog b/Changelog
index 1b47bfc..85f5bfe 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,18 @@
 ---------------------------------------------------------------------
+Version 1.0.5 (06edbce)
+---------------------------------------------------------------------
+Server changes:
+	- CORE compliance security patch
+	- Added CORS compliance test scripts
+
+---------------------------------------------------------------------
+Version 1.0.4 (1673785)
+---------------------------------------------------------------------
+Server changes:
+	- Update to DIAL specificiation 1.7
+	- Catch SIGTERM so that we don't self terminate.
+
+---------------------------------------------------------------------
 Version 1.0.2 (1673785)
 ---------------------------------------------------------------------
 Server changes:
diff --git a/LICENSE b/LICENSE
index cfc42fa..0ab73c0 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2012 Netflix, Inc.
+Copyright (c) 2015 Netflix, Inc.
 All rights reserved.
 Redistribution and use in source and binary forms, with or without 
 modification, are permitted provided that the following conditions are met:
diff --git a/README b/README
index be020f5..befd198 100644
--- a/README
+++ b/README
@@ -4,13 +4,11 @@
 1) Define the TARGET environment variable to point to the CC compiler prefix
    for your target platform. 
 
-   For example, using the NRDP-3.2 x86 desktop toolchain, the CC is located at: 
-   /usr/local/i686-netflix-linux-gnu-3.2/bin/i686-netflix-linux-gnu-gcc
 
 2) Run make, passing in your TARGET value. 
 
    For example:  
-   TARGET=/usr/local/i686-netflix-linux-gnu-3.2/bin/i686-netflix-linux-gnu- make
+   TARGET=/usr/local/i686-DIAL-EXAMPLE/bin/i686-DIAL-EXAMPLE make
 
 --------------------------------------------------------------------------------
 Running the DIAL server
@@ -19,7 +17,6 @@
 has been initialized, and it should remain running at all times (a daemon 
 process in the system).
 
-Sample SysV init scripts are available on the Netflix NRD Partner portal. 
 
 --------------------------------------------------------------------------------
 Building the DIAL client
@@ -30,16 +27,8 @@
 your desktop (development) machine. 
 
 The DIAL client uses CURL to send HTTP REST commands to the DIAL server, so to
-build the client, you need to ensure that the CURL dependecies are 
-defined properly. If you are a Netflix NRD partner and have the NRD Platform
-desktop toolchain installed, it includes libcurl. To build against that version,
-use the following build command:
-
-TARGET=/usr/local/i686-netflix-linux-gnu-3.2/bin/i686-netflix-linux-gnu- \
-LDFLAGS="-L/usr/local/i686-netflix-linux-gnu-3.2/netflix/lib \
--Wl,-rpath,/usr/local/i686-netflix-linux-gnu-3.2/netflix/lib" \
-INCLUDES=-I/usr/local/i686-netflix-linux-gnu-3.2/netflix/include \
-make
+build the client, you need to ensure that the CURL dependencies are 
+defined properly. 
 
 Alternatively, you can build against a different, current version of libcurl. 
 Adjust the INCLUDES and LDFLAGS definitions to point to your actual libcurl
diff --git a/src/client/DialClientInput.cpp b/src/client/DialClientInput.cpp
index 4192b86..0ab4779 100644
--- a/src/client/DialClientInput.cpp
+++ b/src/client/DialClientInput.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/client/DialClientInput.h b/src/client/DialClientInput.h
index b31f546..e53d260 100644
--- a/src/client/DialClientInput.h
+++ b/src/client/DialClientInput.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/client/DialConformance.cpp b/src/client/DialConformance.cpp
index cb18290..1aa8080 100644
--- a/src/client/DialConformance.cpp
+++ b/src/client/DialConformance.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
@@ -32,6 +32,7 @@
 #include <time.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <unistd.h>
 
 // Number of milliseconds to sleep between launches when doing a launch=ALL
 #define LAUNCH_SLEEP 6000
diff --git a/src/client/DialConformance.h b/src/client/DialConformance.h
index 49c7c97..b6c4298 100644
--- a/src/client/DialConformance.h
+++ b/src/client/DialConformance.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/client/DialDiscovery.cpp b/src/client/DialDiscovery.cpp
index bfaa301..efb37af 100644
--- a/src/client/DialDiscovery.cpp
+++ b/src/client/DialDiscovery.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
@@ -48,8 +48,8 @@
 
 DialDiscovery *DialDiscovery::sDiscovery = 0;
 
-static char ip_addr[INET_ADDRSTRLEN] = "127.0.0.1";
-static int my_port = 0;
+//static char ip_addr[INET_ADDRSTRLEN] = "127.0.0.1";
+//static int my_port = 0;
 static struct sockaddr_in saddr;
 typedef struct
 {
@@ -152,6 +152,7 @@
     curl_easy_setopt(curl, CURLOPT_WRITEDATA, &ddxml);
     res = curl_easy_perform(curl);
 
+    (void)(res);
     curl_easy_cleanup(curl);
     //curl_global_cleanup();
 }
@@ -253,7 +254,8 @@
     pthread_attr_t attr;
     search_conn connection;
 
-    send_size = snprintf(send_buf, sizeof(send_buf), ssdp_msearch, ip_addr, my_port);
+    //    send_size = snprintf(send_buf, sizeof(send_buf), ssdp_msearch, ip_addr, my_port);
+    send_size = snprintf(send_buf, sizeof(send_buf), ssdp_msearch);
     ATRACE("[%s:%d] %s\n", __FUNCTION__, __LINE__, send_buf);
 
     if (-1 == (my_sock = socket(AF_INET, SOCK_DGRAM, 0))) {
diff --git a/src/client/DialDiscovery.h b/src/client/DialDiscovery.h
index 81d67a5..c6ba01f 100644
--- a/src/client/DialDiscovery.h
+++ b/src/client/DialDiscovery.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/client/DialServer.cpp b/src/client/DialServer.cpp
index 794fd66..951727d 100644
--- a/src/client/DialServer.cpp
+++ b/src/client/DialServer.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/client/DialServer.h b/src/client/DialServer.h
index 92d36f2..59b5aa7 100644
--- a/src/client/DialServer.h
+++ b/src/client/DialServer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/client/main.cpp b/src/client/main.cpp
index 9eabebb..c882207 100644
--- a/src/client/main.cpp
+++ b/src/client/main.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
@@ -30,6 +30,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 using namespace std;
 
diff --git a/src/server/dial_data.c b/src/server/dial_data.c
index a02b99f..893d317 100644
--- a/src/server/dial_data.c
+++ b/src/server/dial_data.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
  * Functions related to storing/retrieving and manipulating DIAL data.
  */
 #include "dial_data.h"
diff --git a/src/server/dial_data.h b/src/server/dial_data.h
index 28a2b49..faf5ba2 100644
--- a/src/server/dial_data.h
+++ b/src/server/dial_data.h
@@ -1,4 +1,28 @@
 /*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
  * Defines functions for persisting and retrieving DIAL data.
  */
 
diff --git a/src/server/dial_options.h b/src/server/dial_options.h
index 3c32e29..5a3d306 100644
--- a/src/server/dial_options.h
+++ b/src/server/dial_options.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  * 
  * Redistribution and use in source and binary forms, with or without 
diff --git a/src/server/dial_server.c b/src/server/dial_server.c
index d31c76b..b09c3f8 100644
--- a/src/server/dial_server.c
+++ b/src/server/dial_server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -290,7 +290,7 @@
     app = *find_app(ds, app_name);
 
     // update the application state
-    if (!app) {
+    if (app) {
         app->state = app->callbacks.status_cb(ds, app_name, app->run_id,
                                               &canStop, app->callback_data);
     }
@@ -393,19 +393,70 @@
     return strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
 }
 
-static int is_allowed_origin(DIALServer* ds, char * origin) {
-    if (!origin || strlen(origin)==0) {
+
+// str contains a white space separated list of strings (only supports SPACE  characters for now)
+static int ends_with_in_list (const char *str, const char *list) {
+    if (!str || !list)
         return 0;
+    
+    const char * scanPointer=list;
+    const char * spacePointer;
+    unsigned int substringSize = 257;
+    char *substring = (char *)malloc(substringSize);
+    if (!substring){
+        return 0;
+    }
+    while ( (spacePointer =strchr(scanPointer, ' ')) != NULL) {
+    	int copyLength = spacePointer - scanPointer;      
+      
+      // protect against buffer overflow
+      if (copyLength>=substringSize){
+          substringSize=copyLength+1;
+          free(substring);
+          substring=(char *)malloc(substringSize);
+          if (!substring){
+              return 0;
+          }
+      }
+
+    	memcpy(substring, scanPointer, copyLength);
+    	substring[copyLength] = '\0';
+    	//printf("found %s \n", substring);
+    	if (ends_with(str, substring)) {
+          free(substring);
+          return 1;
+    	}
+    	scanPointer = scanPointer + copyLength + 1; // assumption: only 1 character
+    }
+    free(substring);
+    return ends_with(str, scanPointer);
+}
+
+static int should_check_for_origin( char * origin ) {
+    const char * const CHECK_PROTOS[] = { "http:", "https:", "file:" };
+    for (int i = 0; i < 3; ++i) {
+        if (!strncmp(origin, CHECK_PROTOS[i], strlen(CHECK_PROTOS[i]) - 1)) {
+            return 1;
+        }
+    }
+    return 0;
+}
+
+static int is_allowed_origin(DIALServer* ds, char * origin, const char * app_name) {
+    if (!origin || strlen(origin)==0 || !should_check_for_origin(origin)) {
+        return 1;
     }
 
     ds_lock(ds);
     DIALApp *app;
     int result = 0;
     for (app = ds->apps; app != NULL; app = app->next) {
-        if (app->corsAllowedOrigin[0] &&
-            ends_with(origin, app->corsAllowedOrigin)) {
-            result = 1;
-            break;
+    	if (!strcmp(app->name, app_name)) {
+            if (!app->corsAllowedOrigin[0] ||
+                ends_with_in_list(origin, app->corsAllowedOrigin)) {
+                result = 1;
+                break;
+            }
         }
     }
     ds_unlock(ds);
@@ -416,6 +467,25 @@
 #define APPS_URI "/apps/"
 #define RUN_URI "/run"
 
+static void *options_response(DIALServer *ds, struct mg_connection *conn, char *host_header, char *origin_header, const char* app_name, const char* methods)
+{    
+    if (host_header && is_allowed_origin(ds, origin_header, app_name)) {
+        mg_printf(
+                  conn,
+                  "HTTP/1.1 204 No Content\r\n"
+                  "Access-Control-Allow-Methods: %s\r\n"
+                  "Access-Control-Max-Age: 86400\r\n"
+                  "Access-Control-Allow-Origin: %s\r\n"
+                  "Content-Length: 0"
+                  "\r\n",
+                  methods,
+                  origin_header);
+        return "done";
+    }
+    mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
+    return "done";   
+}
+
 static void *request_handler(enum mg_event event, struct mg_connection *conn,
                              const struct mg_request_info *request_info) {
     DIALServer *ds = request_info->user_data;
@@ -436,24 +506,6 @@
         // If DIAL is disabled, drop the request
         if (!dial_allowed())
           return "done";
-        // CORS OPTIONS request
-        if (!strcmp(request_info->request_method, "OPTIONS")) {
-            //TODO: for extra safety, also check that host header matches origin
-            if (host_header && origin_header && is_allowed_origin(ds, origin_header)) {
-                mg_printf(
-                        conn,
-                        "HTTP/1.1 204 No Content\r\n"
-                        "Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS\r\n"
-                        "Access-Control-Max-Age: 86400\r\n"
-                        "Access-Control-Allow-Origin: %s\r\n"
-                        "Content-Length: 0"
-                        "\r\n",
-                        origin_header);
-                return "done";
-            }
-            mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
-            return "done";
-        }
         // URL ends with run
         if (!strncmp(request_info->uri + strlen(request_info->uri) - 4, RUN_URI,
                      strlen(RUN_URI))) {
@@ -461,10 +513,19 @@
             strncpy(app_name, request_info->uri + strlen(APPS_URI),
                     ((strlen(request_info->uri) - 4) - (sizeof(APPS_URI) - 1)));
 
+            if (!strcmp(request_info->request_method, "OPTIONS")) {
+                return options_response(ds, conn, host_header, origin_header, app_name, "DELETE, OPTIONS");
+            }
+
             // DELETE non-empty app name
             if (app_name[0] != '\0'
                     && !strcmp(request_info->request_method, "DELETE")) {
-                handle_app_stop(conn, request_info, app_name, origin_header);
+                if (host_header && is_allowed_origin(ds, origin_header, app_name)) {
+                    handle_app_stop(conn, request_info, app_name, origin_header);
+                } else {
+                    mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
+                    return "done";
+                }
             } else {
                 mg_send_http_error(conn, 501, "Not Implemented",
                                    "Not Implemented");
@@ -475,10 +536,20 @@
                 && !strchr(request_info->uri + strlen(APPS_URI), '/')) {
             const char *app_name;
             app_name = request_info->uri + sizeof(APPS_URI) - 1;
+
+            if (!strcmp(request_info->request_method, "OPTIONS")) {
+                return options_response(ds, conn, host_header, origin_header, app_name, "GET, POST, OPTIONS");
+            }
+
             // start app
             if (!strcmp(request_info->request_method, "POST")) {
-                handle_app_start(conn, request_info, app_name, origin_header);
-                // get app status
+                if (host_header && is_allowed_origin(ds, origin_header, app_name)) {
+                    handle_app_start(conn, request_info, app_name, origin_header);
+                } else {
+                    mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
+                    return "done";
+                }
+            // get app status
             } else if (!strcmp(request_info->request_method, "GET")) {
                 handle_app_status(conn, request_info, app_name, origin_header);
             } else {
@@ -493,10 +564,19 @@
             inet_ntop(addr->sin_family, &addr->sin_addr, laddr, sizeof(laddr));
             if ( !strncmp(laddr, gLocalhost, strlen(gLocalhost)) ) {
                 char *app_name = parse_app_name(request_info->uri);
+
+                if (!strcmp(request_info->request_method, "OPTIONS")) {
+                    void *ret = options_response(ds, conn, host_header, origin_header, app_name, "POST, OPTIONS");
+                    free(app_name);
+                    return ret;
+                }
+
                 int use_payload =
                     strcmp(request_info->request_method, "POST") ? 0 : 1;
                 handle_dial_data(conn, request_info, app_name, origin_header,
                                  use_payload);
+
+                free(app_name);
             } else {
                 // If the request is not from local host, return an error
                 mg_send_http_error(conn, 403, "Forbidden", "Forbidden");
diff --git a/src/server/dial_server.h b/src/server/dial_server.h
index 37b160c..32afef8 100644
--- a/src/server/dial_server.h
+++ b/src/server/dial_server.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
diff --git a/src/server/main.c b/src/server/main.c
index 0668040..caa9d65 100644
--- a/src/server/main.c
+++ b/src/server/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37,6 +37,7 @@
 
 #include "dial_server.h"
 #include "dial_options.h"
+#include <signal.h>
 
 #define BUFSIZE 256
 
@@ -82,6 +83,19 @@
     return match;
 }
 
+// For Fiber we do not let DIAL handle SIGTERM, as we consider that a killing
+// signal (pkillwait uses it first).
+/*
+void signalHandler(int signal)
+{
+    switch(signal)
+    {
+        case SIGTERM:
+            // just ignore this, we don't want to die
+            break;
+    }
+}
+*/
 
 /* The URL encoding source code was obtained here:
  * http://www.geekhideout.com/urlcode.shtml
@@ -436,8 +450,8 @@
     struct DIALAppCallbacks cb_ft = {fibertv_start, fibertv_stop, fibertv_status, NULL, NULL};
     struct DIALAppCallbacks cb_gf = {basil_start, basil_stop, basil_status, basil_service_data, NULL};
 
-    DIAL_register_app(ds, "Netflix", &cb_nf, NULL, 1, "netflix.com");
-    DIAL_register_app(ds, "YouTube", &cb_yt, NULL, 1, "youtube.com");
+    DIAL_register_app(ds, "Netflix", &cb_nf, NULL, 1, ".netflix.com");
+    DIAL_register_app(ds, "YouTube", &cb_yt, NULL, 1, ".youtube.com");
     if (strcmp(spUiType, "oregano") == 0) {
       DIAL_register_app(ds, "GoogleFiberTV", &cb_gf, NULL, 0, NULL);
     } else {
@@ -478,6 +492,15 @@
 
 int main(int argc, char* argv[])
 {
+    // We want DIAL to die on a SIGTERM - pkillwait sends SIGTERM first.
+    /*
+    struct sigaction action;
+    action.sa_handler = signalHandler;
+    sigemptyset(&action.sa_mask);
+    action.sa_flags = 0;
+    sigaction(SIGTERM, &action, NULL);
+    */
+
     srand(time(NULL));
     int i;
 
diff --git a/src/server/quick_ssdp.c b/src/server/quick_ssdp.c
index 54c132b..3a399ea 100644
--- a/src/server/quick_ssdp.c
+++ b/src/server/quick_ssdp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012 Netflix, Inc.
+ * Copyright (c) 2014 Netflix, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34,6 +34,7 @@
 #include <unistd.h>
 
 #include "mongoose.h"
+#include "url_lib.h"
 
 // TODO: Partners should define this port
 #define SSDP_PORT (56790)
@@ -42,11 +43,7 @@
 static char gBuf[4096];
 
 // TODO: Partners should get the friendlyName from the system and insert here.
-// TODO: Partners should ensure the friendlyName is the same string returned
-//       in the ISsystem::getFriendlyName DPI function.
 // TODO: Partners should get the UUID from the system and insert here.
-// TODO: Partners should ensure the modelName is identifiably similar to the
-//       model name returned in the ISystem::getDeviceModel DPI function
 static const char ddxml[] = ""
 "<?xml version=\"1.0\"?>"
 "<root"
@@ -212,20 +209,17 @@
   socklen_t len = sizeof(sa);
 
   if(pFriendlyName) {
-      strncpy(friendly_name, pFriendlyName, sizeof(friendly_name));
-      friendly_name[255] = '\0';
+      xmlencode(friendly_name, pFriendlyName, sizeof(friendly_name));
   } else {
       strcpy(friendly_name, "DIAL server sample");
   }
   if(pModelName) {
-      strncpy(model_name, pModelName, sizeof(model_name));
-      model_name[255] = '\0';
+      xmlencode(model_name, pModelName, sizeof(model_name));
   } else {
       strcpy(model_name, "deadbeef-dead-beef-dead-beefdeadbeef");
   }
   if(pUuid) {
-      strncpy(uuid, pUuid, sizeof(uuid));
-      uuid[255] = '\0';
+      xmlencode(uuid, pUuid, sizeof(uuid));
   } else {
       strcpy(uuid, "deadbeef-dead-beef-dead-beefdeadbeef");
   }
diff --git a/src/server/tests/run_tests.c b/src/server/tests/run_tests.c
index 6fe3ef2..dedafd0 100644
--- a/src/server/tests/run_tests.c
+++ b/src/server/tests/run_tests.c
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #include "test_dial_data.h"
 #include "test_url_lib.h"
 
diff --git a/src/server/tests/test.h b/src/server/tests/test.h
index e2ad1ad..1cb9295 100644
--- a/src/server/tests/test.h
+++ b/src/server/tests/test.h
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 // Macros to simplify testing functions.
 
 #ifndef SRC_SERVER_TESTS_TEST_H_
diff --git a/src/server/tests/test_cors.html b/src/server/tests/test_cors.html
new file mode 100644
index 0000000..451a96e
--- /dev/null
+++ b/src/server/tests/test_cors.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<!--
+To change this license header, choose License Headers in Project Properties.
+To change this template file, choose Tools | Templates
+and open the template in the editor.
+-->
+<html>
+    <head>
+        <title>DIAL Security Test CORS</title>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <script type="text/javascript" src="http://code.jquery.com/jquery-1.11.2.min.js"></script>
+        <script>
+            $(document).ready(function(){
+
+            var makePost=function(app){
+              console.log("make dial post...");
+              var ip = $("#ipAddress").val();
+              var port = $("#dialPort").val();
+              var urlStr = "http://"+ip+":"+port+"/apps/"+app;
+              console.log(urlStr);
+              $("#status").text("posted to "+urlStr);
+              $.ajax({
+                type: "POST",
+                url: urlStr,
+                data: "v=QH2-TGUlwu4",
+                dataType: "text/plain; charset=\"utf-8\""
+              });
+            };
+
+            $( "#testNetflix" ).click(function(){
+                console.log("testing Netflix");
+                makePost("Netflix");
+            });
+
+            $( "#testYoutube" ).click(function(){
+                console.log("testing Youtube");            
+                makePost("Youtube");
+            });
+
+            });
+        </script>
+    </head>
+    <body>
+        <input id="ipAddress" type="text" name="ip" value="192.168.1.100">
+        <input id="dialPort" type="text" name="port" value="8060">
+        <p>
+          <button id="testNetflix">Test Netflix</button>
+          <button id="testYoutube">Test Youtube</button>
+        </p>
+        <p>
+          <div id="status"></div>
+        </p>
+    </body>
+</html>
+
+
diff --git a/src/server/tests/test_cors.sh b/src/server/tests/test_cors.sh
new file mode 100755
index 0000000..088fe02
--- /dev/null
+++ b/src/server/tests/test_cors.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+    echo "usage: `basename $0`: <DIAL server ip address> <port> "
+    exit 1
+fi
+
+ip_address=$1
+port=$2
+
+#Testing all the positive cases
+origins="http://www4.netflix.com http://1.netflix.com https://www.netflix.com https://www4.netflix.com ftp://this.is.fine"
+for origin in $origins; do
+curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4"  http://$ip_address:$port/apps/Netflix || echo "failed: $origin should be accepted"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/Netflix || echo "failed: $origin should be accepted"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/Netflix/run || echo "failed: $origin should be accepted"
+if [ $ip_address == "localhost" ];
+then
+    echo "testing dial_data OPTIONS on $ip_address from origin $origin"
+    curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/Netflix/dial_data || echo "failed: $origin should be accepted"
+fi
+done
+
+origins="http://www4.youtube.com http://1.youtube.com https://www.youtube.com https://www4.youtube.com ftp://this.is.fine"
+for origin in $origins; do
+curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4"  http://$ip_address:$port/apps/YouTube || echo "failed: $origin should be accepted"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/YouTube || echo "failed: $origin should be accepted"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/YouTube/run || echo "failed: $origin should be accepted"
+if [ $ip_address == "localhost" ];
+then
+    echo "testing dial_data OPTIONS on $ip_address from origin $origin"
+    curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/YouTube/dial_data || echo "failed: $origin should be accepted"
+fi
+done
+
+#Testing all the negative cases
+origins="http://www.netflix-a.com http://www.netflix.com4 http://a-netflix.com https://ww.netflix-a.com https://www.netflix.com4 https://a-netflix.com http://netflix.com http://www.attack.com https://www.attack.com file://www.attack.com"
+for origin in $origins; do
+curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4"  http://$ip_address:$port/apps/Netflix && echo "failed: $origin should be rejected"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/Netflix && echo "failed: $origin should be rejected"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/Netflix/run && echo "failed: $origin should be rejected"
+if [ $ip_address == "localhost" ];
+then
+    echo "testing dial_data OPTIONS on $ip_address from origin $origin"
+    curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/Netflix/dial_data && echo "failed: $origin should be rejected"
+fi
+done
+
+origins="http://www.youtube-a.com http://www.youtube.com4 http://a-youtube.com https://ww.youtube-a.com https://www.youtube.com4 https://a-youtube.com http://youtube.com https://youtube.com http://www.attack.com https://www.attack.com file://www.attack.com"
+for origin in $origins; do
+curl --fail --silent --header "Origin:$origin" --data "v=QH2-TGUlwu4"  http://$ip_address:$port/apps/YouTube && echo "failed: $origin should be rejected"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/YouTube && echo "failed: $origin should be rejected"
+curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/YouTube/run && echo "failed: $origin should be rejected"
+if [ $ip_address == "localhost" ];
+then
+    echo "testing dial_data OPTIONS on $ip_address from origin $origin"
+    curl --fail --silent --header "Origin:$origin" -X OPTIONS  http://$ip_address:$port/apps/YouTube/dial_data && echo "failed: $origin should be rejected"
+fi
+done
+
+#Finally test with no header
+curl --fail --silent --data "v=QH2-TGUlwu4"  http://$ip_address:$port/apps/YouTube || echo "failed: request without an Origin should be accepted"
+curl --fail --silent -X OPTIONS  http://$ip_address:$port/apps/YouTube || echo "failed: request without an Origin should be accepted"
+curl --fail --silent -X OPTIONS  http://$ip_address:$port/apps/YouTube/run || echo "failed: request without an Origin should be accepted"
+if [ $ip_address == "localhost" ];
+then
+    echo "testing dial_data OPTIONS on $ip_address with no origin"
+    curl --fail --silent -X OPTIONS  http://$ip_address:$port/apps/YouTube/dial_data || echo "failed: request without an Origin should be accepted"
+fi
+
+echo "Done."
diff --git a/src/server/tests/test_dial_data.c b/src/server/tests/test_dial_data.c
index 4998084..b383d5d 100644
--- a/src/server/tests/test_dial_data.c
+++ b/src/server/tests/test_dial_data.c
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #include "../dial_data.h"
 
 #include <assert.h>
diff --git a/src/server/tests/test_dial_data.h b/src/server/tests/test_dial_data.h
index c8fa06d..d2b579d 100644
--- a/src/server/tests/test_dial_data.h
+++ b/src/server/tests/test_dial_data.h
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #ifndef SRC_SERVER_TESTS_TEST_DIAL_DATA_H_
 #define SRC_SERVER_TESTS_TEST_DIAL_DATA_H_
 
diff --git a/src/server/tests/test_url_lib.c b/src/server/tests/test_url_lib.c
index d89d38d..95d6e6d 100644
--- a/src/server/tests/test_url_lib.c
+++ b/src/server/tests/test_url_lib.c
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #include "../url_lib.h"
 #include "../dial_data.h"
 
diff --git a/src/server/tests/test_url_lib.h b/src/server/tests/test_url_lib.h
index 43fe19f..1cbe2e7 100644
--- a/src/server/tests/test_url_lib.h
+++ b/src/server/tests/test_url_lib.h
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #ifndef SRC_SERVER_TESTS_TEST_URL_LIB_H_
 #define SRC_SERVER_TESTS_TEST_URL_LIB_H_
 
diff --git a/src/server/url_lib.c b/src/server/url_lib.c
index 78313e3..b743a38 100644
--- a/src/server/url_lib.c
+++ b/src/server/url_lib.c
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #include "url_lib.h"
 #include "dial_data.h"
 
@@ -63,31 +87,48 @@
 void xmlencode(char *dst, const char *src, size_t max_size) {
     size_t current_size = 0;
     while (*src && current_size < max_size) {
-        switch (*src) {
-            case '&':
-                dst = smartstrcat(dst, "&amp;", max_size - current_size);
-                current_size += 5;
-                break;
-            case '\"':
-                dst = smartstrcat(dst, "&quot;", max_size - current_size);
-                current_size += 6;
-                break;
-            case '\'':
-                dst = smartstrcat(dst, "&apos;", max_size - current_size);
-                current_size += 6;
-                break;
-            case '<':
-                dst = smartstrcat(dst, "&lt;", max_size - current_size);
-                current_size += 4;
-                break;
-            case '>':
-                dst = smartstrcat(dst, "&gt;", max_size - current_size);
-                current_size += 4;
-                break;
-            default:
-                *dst++ = *src;
-                current_size++;
-                break;
+        // Discard invalid characters for xml encoding, assuming input
+        // shouldn't contain utf.
+        if(!((*src&0x80) ||
+           (*src < 0x20 && *src != 0x09 && *src != 0x0A && *src != 0x0D))) {
+            switch (*src) {
+                case '\t':
+                    dst = smartstrcat(dst, "&#x9;", max_size - current_size);
+                    current_size += 5;
+                    break;
+                case '\n':
+                    dst = smartstrcat(dst, "&#xA;", max_size - current_size);
+                    current_size += 5;
+                    break;
+                case '\r':
+                    dst = smartstrcat(dst, "&#xD;", max_size - current_size);
+                    current_size += 5;
+                    break;
+                case '&':
+                    dst = smartstrcat(dst, "&amp;", max_size - current_size);
+                    current_size += 5;
+                    break;
+                case '\"':
+                    dst = smartstrcat(dst, "&quot;", max_size - current_size);
+                    current_size += 6;
+                    break;
+                case '\'':
+                    dst = smartstrcat(dst, "&apos;", max_size - current_size);
+                    current_size += 6;
+                    break;
+                case '<':
+                    dst = smartstrcat(dst, "&lt;", max_size - current_size);
+                    current_size += 4;
+                    break;
+                case '>':
+                    dst = smartstrcat(dst, "&gt;", max_size - current_size);
+                    current_size += 4;
+                    break;
+                default:
+                    *dst++ = *src;
+                    current_size++;
+                    break;
+            }
         }
         src++;
     }
diff --git a/src/server/url_lib.h b/src/server/url_lib.h
index 00781a8..209dfb3 100644
--- a/src/server/url_lib.h
+++ b/src/server/url_lib.h
@@ -1,3 +1,27 @@
+/*
+ * Copyright (c) 2014 Netflix, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY NETFLIX, INC. AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL NETFLIX OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 /* Utility functions for dealing with URLs */
 
 #ifndef URLLIB_H_