diff --git a/workflow/engine/controllers/pmTablesProxy.php b/workflow/engine/controllers/pmTablesProxy.php
index 147d3d131..12d67de42 100755
--- a/workflow/engine/controllers/pmTablesProxy.php
+++ b/workflow/engine/controllers/pmTablesProxy.php
@@ -666,9 +666,12 @@ class pmTablesProxy extends HttpProxyController
         public function importCSV ($httpData)
     {
         G::LoadClass('pmFunctions');
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $countRow = 250;
         if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
             $filename = $_FILES['form']['name']['CSV_FILE'];
+            $filename = $filter->xssFilterHard($filename, 'path');
             if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
                 require_once 'classes/model/AdditionalTables.php';
                 $oAdditionalTables = new AdditionalTables();
@@ -762,8 +765,11 @@ class pmTablesProxy extends HttpProxyController
      */
     public function importCSVDeprecated ($httpData)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
             $filename = $_FILES['form']['name']['CSV_FILE'];
+            $filename = $filter->xssFilterHard($filename, 'path');
             if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
                 require_once 'classes/model/AdditionalTables.php';
                 $oAdditionalTables = new AdditionalTables();
diff --git a/workflow/engine/methods/setup/languages_Import.php b/workflow/engine/methods/setup/languages_Import.php
index b79c233ae..1ea43988a 100755
--- a/workflow/engine/methods/setup/languages_Import.php
+++ b/workflow/engine/methods/setup/languages_Import.php
@@ -56,10 +56,12 @@ try {
     $sMaxExecutionTime = ini_get( 'max_execution_time' );
     ini_set( 'max_execution_time', '0' );
     G::LoadClass( 'configuration' );
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
 
     $languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME'];
     $languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME'];
-
+    $languageFilename = $filter->xssFilterHard($languageFilename, 'path');
     if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) {
         $zp = gzopen( $languageFile, "r" );
         $languageFile = tempnam( __FILE__, '' );