diff --git a/cake/dispatcher.php b/cake/dispatcher.php
index de026756398..9756c841a1a 100644
--- a/cake/dispatcher.php
+++ b/cake/dispatcher.php
@@ -344,7 +344,8 @@ function baseUrl() {
 			return $this->base = $base;
 		}
 		if (!$baseUrl) {
-			$base = dirname(env('PHP_SELF'));
+			$replace = array('<', '>', '*', '\'', '"');
+			$base = str_replace($replace, '', dirname(env('PHP_SELF')));
 
 			if ($webroot === 'webroot' && $webroot === basename($base)) {
 				$base = dirname($base);
diff --git a/cake/libs/model/model.php b/cake/libs/model/model.php
index 1becede48eb..b20ad2c4e17 100644
--- a/cake/libs/model/model.php
+++ b/cake/libs/model/model.php
@@ -1010,7 +1010,10 @@ function read($fields = null, $id = null) {
 		}
 
 		if ($id !== null && $id !== false) {
-			$this->data = $this->find(array($this->alias . '.' . $this->primaryKey => $id), $fields);
+			$this->data = $this->find('first', array(
+				'conditions' => array($this->alias . '.' . $this->primaryKey => $id),
+				'fields' => $fields
+			));
 			return $this->data;
 		} else {
 			return false;
diff --git a/cake/tests/cases/dispatcher.test.php b/cake/tests/cases/dispatcher.test.php
index 0fcbfb3fb77..a50037de844 100644
--- a/cake/tests/cases/dispatcher.test.php
+++ b/cake/tests/cases/dispatcher.test.php
@@ -1898,6 +1898,23 @@ function testHttpMethodOverrides() {
 
 		unset($_POST['_method']);
 	}
+
+/**
+ * Tests that invalid characters cannot be injected into the application base path.
+ *
+ * @return void
+ */
+	function testBasePathInjection() {
+		$self = $_SERVER['PHP_SELF'];
+		$_SERVER['PHP_SELF'] = urldecode(
+			"/index.php/%22%3E%3Ch1%20onclick=%22alert('xss');%22%3Eheya%3C/h1%3E"
+		);
+
+		$dispatcher =& new Dispatcher();
+		$result = $dispatcher->baseUrl();
+		$expected = '/index.php/h1 onclick=alert(xss);heya';
+		$this->assertEqual($result, $expected);
+	}
 /**
  * testEnvironmentDetection method
  *
diff --git a/cake/tests/cases/libs/router.test.php b/cake/tests/cases/libs/router.test.php
index f0bfb1441d6..f57c91d9c3e 100644
--- a/cake/tests/cases/libs/router.test.php
+++ b/cake/tests/cases/libs/router.test.php
@@ -658,14 +658,23 @@ function testUrlGeneration() {
 
 		Router::reload();
 		Router::setRequestInfo(array(
-				array('plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'admin_edit', 'pass' =>
-						array(0 => '6'), 'prefix' => 'admin', 'admin' => true, 'form' => array(), 'url' =>
-						array('url' => 'admin/shows/show_tickets/edit/6')),
-				array('plugin' => NULL, 'controller' => NULL, 'action' => NULL, 'base' => '', 'here' => '/admin/shows/show_tickets/edit/6', 'webroot' => '/')));
+			array(
+				'plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'admin_edit',
+				'pass' => array('6'), 'prefix' => 'admin', 'admin' => true, 'form' => array(),
+				'url' => array('url' => 'admin/shows/show_tickets/edit/6')
+			),
+			array(
+				'plugin' => null, 'controller' => null, 'action' => null, 'base' => '',
+				'here' => '/admin/shows/show_tickets/edit/6', 'webroot' => '/'
+			)
+		));
 
 		Router::parse('/');
 
-		$result = Router::url(array('plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'edit', 'id' => '6', 'admin' => true, 'prefix' => 'admin', ));
+		$result = Router::url(array(
+			'plugin' => 'shows', 'controller' => 'show_tickets', 'action' => 'edit', 'id' => '6',
+			'admin' => true, 'prefix' => 'admin'
+		));
 		$expected = '/admin/shows/show_tickets/edit/6';
 		$this->assertEqual($result, $expected);
 	}