From 678d24c7ee9e1891b4a7127220cd651f2c6e6124 Mon Sep 17 00:00:00 2001
From: "Paula V. Quispe" <paula.quispe@colosa.com>
Date: Mon, 23 Mar 2015 10:27:59 -0400
Subject: [PATCH] I solved the observation

---
 workflow/engine/classes/class.Upgrade.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/workflow/engine/classes/class.Upgrade.php b/workflow/engine/classes/class.Upgrade.php
index 2126ebf4d..48cb8a74c 100644
--- a/workflow/engine/classes/class.Upgrade.php
+++ b/workflow/engine/classes/class.Upgrade.php
@@ -44,7 +44,9 @@ class Upgrade
         //printf("Time to open archive: %f\n", microtime(1) - $time);
         $time = microtime(1);
         $extractDir = dirname($this->addon->getDownloadFilename()) . "/extract";
+        $extractDir = $filter->xssFilterHard($extractDir);
         $backupDir = dirname($this->addon->getDownloadFilename()) . "/backup";
+        $backupDir = $filter->xssFilterHard($backupDir);
         if (file_exists($extractDir)) {
             G::rm_dir($extractDir);
         }
@@ -87,6 +89,7 @@ class Upgrade
         $checksumTime = 0;
         foreach ($checksums as $filename => $checksum) {
             if (is_dir("$extractDir/$filename")) {
+                $filename = $filter->xssFilterHard($filename);
                 print $filename;
                 continue;
             }