1 files changed, 4 insertions, 4 deletions

diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index 0c741513..954c9ef6 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -35,12 +35,12 @@ class Admin_Server_Add_Controller extends Admin_Controller {
     $form = $this->_get_admin_form();
     $paths = unserialize(module::get_var("server_add", "authorized_paths", "a:0:{}"));
     if ($form->validate()) {
-      if (is_link($form->add_path->path->value)) {
+      $path = html_entity_decode($form->add_path->path->value);
+      if (is_link($path)) {
         $form->add_path->path->add_error("is_symlink", 1);
-      } else if (!is_readable($form->add_path->path->value)) {
+      } else if (!is_readable($path)) {
         $form->add_path->path->add_error("not_readable", 1);
       } else {
-        $path = $form->add_path->path->value;
         $paths[$path] = 1;
         module::set_var("server_add", "authorized_paths", serialize($paths));
         message::success(t("Added path %path", array("path" => $path)));
@@ -75,7 +75,7 @@ class Admin_Server_Add_Controller extends Admin_Controller {
     $path_prefix = Input::instance()->get("q");
     foreach (glob("{$path_prefix}*") as $file) {
       if (is_dir($file) && !is_link($file)) {
-        $directories[] = $file;
+        $directories[] = html::clean($file);
       }
     }