diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
index 910c28eb0..6031bd8e8 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
@@ -152,7 +152,7 @@ class FilesManager
     {
         try {
             $aData['prf_path'] = rtrim($aData['prf_path'], '/') . '/';
-            if (!$aData['prf_filename']) {
+            if (!$aData['prf_filename'] || strpbrk($aData['prf_filename'], "\\/?%*:|\"<>") !== false) {
                 throw new \Exception(\G::LoadTranslation("ID_INVALID_VALUE_FOR", array('prf_filename')));
             }
             $extention = strstr($aData['prf_filename'], '.');