From 3c0048d4baa116f3fc6cc3511388bc73f586aae0 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Thu, 22 May 2025 22:22:08 +0900
Subject: [PATCH] Apply FilenameFilter::clean() to all uploaded files, even if
 not passed to procFileUpload() #2556

---
 classes/context/Context.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/classes/context/Context.class.php b/classes/context/Context.class.php
index 95b5b8776..646ac95e8 100644
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@@ -1339,7 +1339,7 @@ class Context
 					unset($_FILES[$key]);
 					continue;
 				}
-				$val['name'] = str_replace('&amp;', '&', escape($val['name'], false));
+				$val['name'] = Rhymix\Framework\Filters\FilenameFilter::clean($val['name']);
 				self::set($key, $val, true);
 				self::set('is_uploaded', true);
 				self::$_instance->is_uploaded = true;
@@ -1365,7 +1365,7 @@ class Context
 						break;
 					}
 					$file = array();
-					$file['name'] = str_replace('&amp;', '&', escape($val['name'][$i], false));
+					$file['name'] = Rhymix\Framework\Filters\FilenameFilter::clean($val['name'][$i]);
 					$file['type'] = $val['type'][$i];
 					$file['tmp_name'] = $val['tmp_name'][$i];
 					$file['error'] = $val['error'][$i];