I correct High - Code Injection(7 flaws) (8 April Report)

workflow/public_html/sysGeneric.php

@@ -564,6 +564,7 @@ if (defined( 'SYS_TEMP' ) && SYS_TEMP != '') {
 } else { //when we are in global pages, outside any valid workspace
     if (SYS_TARGET === 'newSite') {
         $phpFile = G::ExpandPath( 'methods' ) . SYS_COLLECTION . "/" . SYS_TARGET . '.php';
+        $phpFile = $filter->validateInput($phpFile,'path');
         //NewRelic Snippet - By JHL
         transactionLog($phpFile);
         require_once ($phpFile);
@@ -725,6 +726,10 @@ $bWE = false;
 $isControllerCall = false;
 $isPluginController = false;
 
+//Load filter class
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+
 if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') {
     $phpFile = PATH_GULLIVER_HOME . 'methods/' . substr( SYS_COLLECTION, 8 ) . SYS_TARGET . '.php';
 } else {
@@ -786,14 +791,16 @@ if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') {
 
         $pluginControllerPath = PATH_PLUGINS . $pluginName . PATH_SEP . 'controllers' . PATH_SEP;
 
-        if (is_file($pluginControllerPath. $controllerClass . '.php')) {
-            require_once $pluginControllerPath. $controllerClass . '.php';
+        $pathFile = $pluginControllerPath. $controllerClass . '.php';
+        $pathFile = $filter->validateInput($pathFile,'path');
+        if (is_file($pathFile)) {
+            require_once $pathFile;
         } elseif (is_file($pluginControllerPath. ucfirst($controllerClass) . '.php')) {
             $controllerClass = ucfirst($controllerClass);
-            require_once $pluginControllerPath. $controllerClass . '.php';
+            require_once $pathFile;
         } elseif (is_file($pluginControllerPath. ucfirst($controllerClass) . 'Controller.php')) {
             $controllerClass = ucfirst($controllerClass) . 'Controller';
-            require_once $pluginControllerPath. $controllerClass . '.php';
+            require_once $pathFile;
         }
 
         //if the method exists