Fix incorrect encoding of filenames with single quotes

common/framework/filters/FilenameFilter.php

@@ -15,6 +15,9 @@ class FilenameFilter
 	 */
 	public static function clean(string $filename): string
 	{
+		// Clean up unnecessary encodings.
+		$filename = strtr($filename, ['&' => '&', ''' => "'"]);
+
 		// Replace dangerous characters with safe alternatives, maintaining meaning as much as possible.
 		$illegal = array('\\', '/', '<', '>', '{', '}', ':', ';', '|', '"', '~', '`', '$', '%', '^', '*', '?');
 		$replace = array('', '', '(', ')', '(', ')', '_', ',', '_', '', '_', '\'', '_', '_', '_', '', '');
@@ -31,9 +34,6 @@ class FilenameFilter
 		$filename = preg_replace('/__+/', '_', $filename);
 		$filename = preg_replace('/\.\.+/', '.', $filename);
 
-		// Clean up unnecessary encodings.
-		$filename = strtr($filename, array('&amp;' => '&'));
-
 		// Change .php files to .phps to make them non-executable.
 		if (strtolower(substr($filename, strlen($filename) - 4)) === '.php')
 		{

common/js/plugins/jquery.fileupload/js/main.js

@@ -353,12 +353,12 @@
 		unselectNonImageFiles: function() {},
 
 		generateHtml: function($container, file) {
-			var filename = String(file.source_filename);
+			var filename = String(file.source_filename).escape();
 			var html = '';
 			var data = $container.data();
 
 			if (filename.match(/\.(gif|jpe?g|png|webp)$/i)) {
-				html = '<img src="' + file.download_url + '" alt="' + file.source_filename + '"'
+				html = '<img src="' + file.download_url + '" alt="' + filename + '"'
 					+ ' editor_component="image_link" data-file-srl="' + file.file_srl + '" />';
 			}
 			else if (filename.match(/\.(mp3|wav|ogg|flac|aac)$/i)) {
@@ -388,7 +388,7 @@
 			}
 
 			if (html === '') {
-				html += '<a href="' + file.download_url + '" data-file-srl="' + file.file_srl + '">' + file.source_filename + '</a>\n';
+				html += '<a href="' + file.download_url + '" data-file-srl="' + file.file_srl + '">' + filename + '</a>\n';
 			}
 
 			return html;
@@ -515,7 +515,7 @@
 					$container.data(data);
 
 					file.thumbnail_url = file.download_url;
-					file.source_filename = file.source_filename.replace("&amp;", "&");
+					file.source_filename = file.source_filename.replace("&amp;", "&").replace("&#039;", "'");
 
 					if(file.thumbnail_filename) {
 						file.thumbnail_url = file.thumbnail_filename;