diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php
index 9c221d226..233aff967 100644
--- a/gulliver/system/class.bootstrap.php
+++ b/gulliver/system/class.bootstrap.php
@@ -348,12 +348,18 @@ class Bootstrap
             throw new Exception("Template: $template, doesn't exist!");
         }
 
+        self::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+
         $smarty = new Smarty ();
         $smarty->compile_dir = Bootstrap::sys_get_temp_dir();
         $smarty->cache_dir = Bootstrap::sys_get_temp_dir();
-        $smarty->config_dir = PATH_THIRDPARTY . 'smarty/configs';
-
-        $smarty->template_dir = PATH_TEMPLATE;
+        $configDir = PATH_THIRDPARTY . 'smarty/configs';
+        $configDir = $filter->validateInput($configDir, 'path');
+        $smarty->config_dir = $configDir;
+        $templateDir = PATH_TEMPLATE;
+        $templateDir = $filter->validateInput($templateDir, 'path');
+        $smarty->template_dir = $templateDir;
         $smarty->force_compile = true;
 
         foreach ($data as $key => $value) {
@@ -371,7 +377,7 @@ class Bootstrap
      * @param string $strClass
      * @return void
      */
-    public function LoadSystem($strClass)
+    public static function LoadSystem($strClass)
     {
         require_once (PATH_GULLIVER . 'class.' . $strClass . '.php');
     }
@@ -669,7 +675,7 @@ class Bootstrap
      */
     public static function LoadClass($strClass)
     {
-        Bootstrap::LoadSystem('inputfilter');
+        self::LoadSystem('inputfilter');
         $filter = new InputFilter();
 
         $path = PATH_GULLIVER . 'class.' . $strClass . '.php';
diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php
index 9c3ead4e0..095123104 100644
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -526,13 +526,13 @@ class G
             $oHeadPublisher->clearScripts();
             $oHeadPublisher->leimnudInitString = $leimnudInitString;
             $oHeadPublisher->addScriptFile( '/js/maborak/core/maborak.js' );
-            $G_PUBLISH->AddContent( 'xmlform', 'xmlform', 'login/showMessage', null, array ('MESSAGE' => $e->getMessage()
+            $G_PUBLISH->AddContent( 'xmlform', 'xmlform', 'login/showMessage', null, array ('MESSAGE' => self::getErrorMessage($e)
             ) );
             if (class_exists( 'SkinEngine' )) {
                 $skinEngine = new SkinEngine( 'publish', 'blank', '' );
                 $skinEngine->dispatch();
             } else {
-                die( $e->getMessage() );
+                die( self::getErrorMessage($e) );
             }
         }
     }
@@ -5657,6 +5657,18 @@ class G
     {
         return crc32($string);
     }
+
+    /**
+     * this function get the Message
+     * @access public
+     * @param string $e
+     * @return string
+     *
+     */
+    public static function getErrorMessage($e)
+    {
+        return $e->getMessage();
+    }
 }
 
 /**
diff --git a/gulliver/system/class.inputfilter.php b/gulliver/system/class.inputfilter.php
index 6286769bf..3330637cc 100644
--- a/gulliver/system/class.inputfilter.php
+++ b/gulliver/system/class.inputfilter.php
@@ -571,7 +571,12 @@ class InputFilter
          
         return $value;
     }
-    
+
+    /**
+     * @param $value
+     * @param $type
+     * @return bool|int|mixed|string
+     */
     function sanitizeInputValue($value, $type) {
         
         switch($type) {
@@ -602,9 +607,13 @@ class InputFilter
         }
         
         return $value;    
-    } 
-    
-   
+    }
+
+    /**
+     * @param $value
+     * @param $type
+     * @throws Exception
+     */
     function validateInputValue($value, $type) {
         
         switch($type) {
@@ -641,7 +650,15 @@ class InputFilter
                     throw new Exception('not a string value');
                 }
         }
-     
- 
-    } 
+    }
+
+    /**
+     * @param $pathFile
+     * @return string
+     */
+    function validatePath($pathFile) {
+        $sanitizefilteredPath = mb_ereg_replace("([\.]{2,})", '', $pathFile);
+        $sanitizefilteredPath = mb_ereg_replace("(^~)", '', $sanitizefilteredPath);
+        return $sanitizefilteredPath;
+    }
 }
diff --git a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php
index bd4c21d17..1c956d864 100644
--- a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php
+++ b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php
@@ -96,9 +96,8 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
         
         G::LoadSystem('inputfilter');
         $filter = new InputFilter();
-        $file = $filter->validateInput($file,'path');
-        
-        return unlink($file);
+
+        return unlink($filter->validateInput($file,'path'));
     }
 
     /**
@@ -198,19 +197,17 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
     private function _write($file, $data, $config)
     {
         if (!class_exists('G')) {
-            $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );
-            $docuroot = explode( '/', $realdocuroot );
-            array_pop( $docuroot );
-            $pathhome = implode( '/', $docuroot ) . '/';
-            array_pop( $docuroot );
-            $pathTrunk = implode( '/', $docuroot ) . '/';
-            require_once($pathTrunk.'gulliver/system/class.g.php');
+            $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
+            $docuroot = explode('/', $realdocuroot);
+            array_pop($docuroot);
+            $pathhome = implode('/', $docuroot) . '/';
+            array_pop($docuroot);
+            $pathTrunk = implode('/', $docuroot) . '/';
+            require_once($pathTrunk . 'gulliver/system/class.g.php');
         }
-        
         G::LoadSystem('inputfilter');
         $filter = new InputFilter();
-        $file = $filter->validateInput($file,'path');
-        
+
         if(is_file($file)) {
             $result = file_put_contents($file, $data);
         } else {
@@ -223,7 +220,7 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac
                 $chmod = 0644; // invalid config or simpletest
             }
             $chmod = $chmod & 0666;
-            chmod($file, $chmod);
+            chmod($filter->validateInput($file, 'path'), $chmod);
         }
         return $result;
     }
diff --git a/gulliver/thirdparty/geshi/contrib/example.php b/gulliver/thirdparty/geshi/contrib/example.php
deleted file mode 100755
index 32e6f0c75..000000000
--- a/gulliver/thirdparty/geshi/contrib/example.php
+++ /dev/null
@@ -1,217 +0,0 @@
-<?php
-/**
- * GeSHi example script
- *
- * Just point your browser at this script (with geshi.php in the parent directory,
- * and the language files in subdirectory "../geshi/")
- *
- * @author  Nigel McNie
- * @version $Id: example.php 1512 2008-07-21 21:05:40Z benbe $
- */
-header('Content-Type: text/html; charset=utf-8');
-
-error_reporting(E_ALL);
-
-// Rudimentary checking of where GeSHi is. In a default install it will be in ../, but
-// it could be in the current directory if the include_path is set. There's nowhere else
-// we can reasonably guess.
-if (is_readable('../geshi.php')) {
-    $path = '../';
-} elseif (is_readable('geshi.php')) {
-    $path = './';
-} else {
-    die('Could not find geshi.php - make sure it is in your include path!');
-}
-require $path . 'geshi.php';
-
-$fill_source = false;
-if (isset($_POST['submit'])) {
-    if (get_magic_quotes_gpc()) {
-        $_POST['source'] = stripslashes($_POST['source']);
-    }
-    if (!strlen(trim($_POST['source']))) {
-        $_POST['language'] = preg_replace('#[^a-zA-Z0-9\-_]#', '', $_POST['language']);
-        $_POST['source'] = implode('', @file($path . 'geshi/' . $_POST['language'] . '.php'));
-        $_POST['language'] = 'php';
-    } else {
-        $fill_source = true;
-    }
-
-    // Here's a free demo of how GeSHi works.
-
-    // First the initialisation: source code to highlight and the language to use. Make sure
-    // you sanitise correctly if you use $_POST of course - this very script has had a security
-    // advisory against it in the past because of this. Please try not to use this script on a
-    // live site.
-    $geshi = new GeSHi($_POST['source'], $_POST['language']);
-
-    // Use the PRE_VALID header. This means less output source since we don't have to output &nbsp;
-    // everywhere. Of course it also means you can't set the tab width.
-    // HEADER_PRE_VALID puts the <pre> tag inside the list items (<li>) thus producing valid HTML markup.
-    // HEADER_PRE puts the <pre> tag around the list (<ol>) which is invalid in HTML 4 and XHTML 1
-    // HEADER_DIV puts a <div> tag arount the list (valid!) but needs to replace whitespaces with &nbsp
-    //            thus producing much larger overhead. You can set the tab width though.
-    $geshi->set_header_type(GESHI_HEADER_PRE_VALID);
-
-    // Enable CSS classes. You can use get_stylesheet() to output a stylesheet for your code. Using
-    // CSS classes results in much less output source.
-    $geshi->enable_classes();
-
-    // Enable line numbers. We want fancy line numbers, and we want every 5th line number to be fancy
-    $geshi->enable_line_numbers(GESHI_FANCY_LINE_NUMBERS, 5);
-
-    // Set the style for the PRE around the code. The line numbers are contained within this box (not
-    // XHTML compliant btw, but if you are liberally minded about these things then you'll appreciate
-    // the reduced source output).
-    $geshi->set_overall_style('font: normal normal 90% monospace; color: #000066; border: 1px solid #d0d0d0; background-color: #f0f0f0;', false);
-
-    // Set the style for line numbers. In order to get style for line numbers working, the <li> element
-    // is being styled. This means that the code on the line will also be styled, and most of the time
-    // you don't want this. So the set_code_style reverts styles for the line (by using a <div> on the line).
-    // So the source output looks like this:
-    //
-    // <pre style="[set_overall_style styles]"><ol>
-    // <li style="[set_line_style styles]"><div style="[set_code_style styles]>...</div></li>
-    // ...
-    // </ol></pre>
-    $geshi->set_line_style('color: #003030;', 'font-weight: bold; color: #006060;', true);
-    $geshi->set_code_style('color: #000020;', true);
-
-    // Styles for hyperlinks in the code. GESHI_LINK for default styles, GESHI_HOVER for hover style etc...
-    // note that classes must be enabled for this to work.
-    $geshi->set_link_styles(GESHI_LINK, 'color: #000060;');
-    $geshi->set_link_styles(GESHI_HOVER, 'background-color: #f0f000;');
-
-    // Use the header/footer functionality. This puts a div with content within the PRE element, so it is
-    // affected by the styles set by set_overall_style. So if the PRE has a border then the header/footer will
-    // appear inside it.
-    $geshi->set_header_content('<SPEED> <TIME> GeSHi &copy; 2004-2007, Nigel McNie, 2007-2008 Benny Baumann. View source of example.php for example of using GeSHi');
-    $geshi->set_header_content_style('font-family: sans-serif; color: #808080; font-size: 70%; font-weight: bold; background-color: #f0f0ff; border-bottom: 1px solid #d0d0d0; padding: 2px;');
-
-    // You can use <TIME> and <VERSION> as placeholders
-    $geshi->set_footer_content('Parsed in <TIME> seconds at <SPEED>, using GeSHi <VERSION>');
-    $geshi->set_footer_content_style('font-family: sans-serif; color: #808080; font-size: 70%; font-weight: bold; background-color: #f0f0ff; border-top: 1px solid #d0d0d0; padding: 2px;');
-} else {
-    // make sure we don't preselect any language
-    $_POST['language'] = null;
-}
-?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-<head>
-    <title>GeSHi examples</title>
-    <style type="text/css">
-    <!--
-    <?php
-    if (isset($_POST['submit'])) {
-        // Output the stylesheet. Note it doesn't output the <style> tag
-        echo $geshi->get_stylesheet(true);
-    }
-    ?>
-    html {
-        background-color: #f0f0f0;
-    }
-    body {
-        font-family: Verdana, Arial, sans-serif;
-        margin: 10px;
-        border: 2px solid #e0e0e0;
-        background-color: #fcfcfc;
-        padding: 5px;
-    }
-    h2 {
-        margin: .1em 0 .2em .5em;
-        border-bottom: 1px solid #b0b0b0;
-        color: #b0b0b0;
-        font-weight: normal;
-        font-size: 150%;
-    }
-    h3 {
-        margin: .1em 0 .2em .5em;
-        color: #b0b0b0;
-        font-weight: normal;
-        font-size: 120%;
-    }
-    #footer {
-        text-align: center;
-        font-size: 80%;
-        color: #a9a9a9;
-    }
-    #footer a {
-        color: #9999ff;
-    }
-    textarea {
-        border: 1px solid #b0b0b0;
-        font-size: 90%;
-        color: #333;
-        margin-left: 20px;
-    }
-    select, input {
-        margin-left: 20px;
-    }
-    p {
-        font-size: 90%;
-        margin-left: .5em;
-    }
-    -->
-    </style>
-</head>
-<body>
-<h2>GeSHi Example Script</h2>
-<p>To use this script, make sure that <strong>geshi.php</strong> is in the parent directory or in your
-include_path, and that the language files are in a subdirectory of GeSHi's directory called <strong>geshi/</strong>.</p>
-<p>Enter your source and a language to highlight the source in and submit, or just choose a language to
-have that language file highlighted in PHP.</p>
-<?php
-if (isset($_POST['submit'])) {
-    // The fun part :)
-    echo $geshi->parse_code();
-    echo '<hr />';
-}
-?>
-<form action="<?php echo basename($_SERVER['PHP_SELF']); ?>" method="post">
-<h3>Source to highlight</h3>
-<p>
-<textarea rows="10" cols="60" name="source" id="source"><?php echo $fill_source ? htmlspecialchars($_POST['source']) : '' ?></textarea>
-</p>
-<h3>Choose a language</h3>
-<p>
-<select name="language" id="language">
-<?php
-if (!($dir = @opendir(dirname(__FILE__) . '/geshi'))) {
-    if (!($dir = @opendir(dirname(__FILE__) . '/../geshi'))) {
-        echo '<option>No languages available!</option>';
-    }
-}
-$languages = array();
-while ($file = readdir($dir)) {
-    if ( $file[0] == '.' || strpos($file, '.', 1) === false) {
-        continue;
-    }
-    $lang = substr($file, 0,  strpos($file, '.'));
-    $languages[] = $lang;
-}
-closedir($dir);
-sort($languages);
-foreach ($languages as $lang) {
-    if (isset($_POST['language']) && $_POST['language'] == $lang) {
-        $selected = 'selected="selected"';
-    } else {
-        $selected = '';
-    }
-    echo '<option value="' . $lang . '" '. $selected .'>' . $lang . "</option>\n";
-}
-
-?>
-</select>
-</p>
-<p>
-<input type="submit" name="submit" value="Highlight Source" />
-<input type="submit" name="clear" onclick="document.getElementById('source').value='';document.getElementById('language').value='';return false" value="clear" />
-</p>
-</form>
-<div id="footer">GeSHi &copy; Nigel McNie, 2004, released under the GNU GPL<br />
-For a better demonstration, check out the <a href="http://qbnz.com/highlighter/demo.php">online demo</a>
-</div>
-</body>
-</html>
diff --git a/gulliver/thirdparty/pear/Net/FTP.php b/gulliver/thirdparty/pear/Net/FTP.php
index bd6e6b3b7..4f8ad4d5c 100755
--- a/gulliver/thirdparty/pear/Net/FTP.php
+++ b/gulliver/thirdparty/pear/Net/FTP.php
@@ -1409,6 +1409,17 @@ class Net_FTP extends PEAR
     function getRecursive($remote_path, $local_path, $overwrite = false,
                           $mode = null)
     {
+        if (!class_exists('G')) {
+            $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );
+            $docuroot = explode( '/', $realdocuroot );
+            array_pop( $docuroot );
+            $pathhome = implode( '/', $docuroot ) . '/';
+            array_pop( $docuroot );
+            $pathTrunk = implode( '/', $docuroot ) . '/';
+            require_once($pathTrunk.'gulliver/system/class.g.php');
+        }
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $remote_path = $this->_constructPath($remote_path);
         if (!$this->_checkDir($remote_path)) {
             return $this->raiseError("Given remote-path '".$remote_path.
@@ -1421,8 +1432,8 @@ class Net_FTP extends PEAR
                                      NET_FTP_ERR_LOCALPATHNODIR);
         }
 
-        if (!@is_dir($local_path)) {
-            $res = @mkdir($local_path);
+        if (!@is_dir($filter->validatePath($local_path))) {
+            $res = @mkdir($filter->validatePath($local_path));
             if (!$res) {
                 return $this->raiseError("Could not create dir '$local_path'",
                                          NET_FTP_ERR_CREATELOCALDIR_FAILED);
diff --git a/gulliver/thirdparty/pear/Net/FTP/Socket.php b/gulliver/thirdparty/pear/Net/FTP/Socket.php
index 3dce53e7b..0319cb564 100755
--- a/gulliver/thirdparty/pear/Net/FTP/Socket.php
+++ b/gulliver/thirdparty/pear/Net/FTP/Socket.php
@@ -635,6 +635,17 @@ function ftp_put(&$control, $remote, $local, $mode, $pos = 0)
  */
 function ftp_get(&$control, $local, $remote, $mode, $resume = 0)
 {
+    if (!class_exists('G')) {
+        $realdocuroot = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
+        $docuroot = explode('/', $realdocuroot);
+        array_pop($docuroot);
+        $pathhome = implode('/', $docuroot) . '/';
+        array_pop($docuroot);
+        $pathTrunk = implode('/', $docuroot) . '/';
+        require_once($pathTrunk . 'gulliver/system/class.g.php');
+    }
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
     if (!is_resource($control) || !is_writable(dirname($local)) ||
             !is_integer($mode) || !is_integer($resume)) {
         return false;
@@ -660,8 +671,8 @@ function ftp_get(&$control, $local, $remote, $mode, $resume = 0)
         return false;
     }
 
-    if(is_file($local)) {
-        $fp = fopen($local, 'w'.$windows[$mode]);
+    if(is_file($filter->validatePath($local))) {
+        $fp = fopen($filter->validatePath($local), 'w'.$windows[$mode]);
     } else {
         $fp = false;
     }
diff --git a/gulliver/thirdparty/pear/PEAR/Command/Package.php b/gulliver/thirdparty/pear/PEAR/Command/Package.php
index 8c4248260..b7bf6fd83 100755
--- a/gulliver/thirdparty/pear/PEAR/Command/Package.php
+++ b/gulliver/thirdparty/pear/PEAR/Command/Package.php
@@ -444,6 +444,20 @@ Wrote: /usr/src/redhat/RPMS/i386/PEAR::Net_Socket-1.0-1.i386.rpm
 
     function doPackageDependencies($command, $options, $params)
     {
+        if (!class_exists('G')) {
+            $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );
+            $docuroot = explode( '/', $realdocuroot );
+            array_pop( $docuroot );
+            $pathhome = implode( '/', $docuroot ) . '/';
+            array_pop( $docuroot );
+            $pathTrunk = implode( '/', $docuroot ) . '/';
+            require_once($pathTrunk.'gulliver/system/class.g.php');
+        }
+
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $command = $filter->validateInput($command);
+
         // $params[0] -> the PEAR package to list its information
         if (sizeof($params) != 1) {
             return $this->raiseError("bad parameter(s), try \"help $command\"");
diff --git a/gulliver/thirdparty/phing/Phing.php b/gulliver/thirdparty/phing/Phing.php
index 00e9dfb12..a9b689fbc 100644
--- a/gulliver/thirdparty/phing/Phing.php
+++ b/gulliver/thirdparty/phing/Phing.php
@@ -858,7 +858,17 @@ class Phing {
                 }
                 $firstPath = explode(":", implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts)));
                 if (is_dir($firstPath[0])) {
-                    ini_set('include_path', implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts)));
+                    $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );
+                    $docuroot = explode( '/', $realdocuroot );
+                    array_pop( $docuroot );
+                    $pathhome = implode( '/', $docuroot ) . '/';
+                    array_pop( $docuroot );
+                    $pathTrunk = implode( '/', $docuroot ) . '/';
+                    require_once($pathTrunk.'gulliver/system/class.inputfilter.php');
+                    $filter = new InputFilter();
+                    $incPath = implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts));
+                    $incPath = $filter->validateInput($incPath, 'path');
+                    ini_set('include_path', $incPath);
                 }
             }
         }
diff --git a/gulliver/thirdparty/phing/lib/Capsule.php b/gulliver/thirdparty/phing/lib/Capsule.php
index 693649177..43c2e070e 100755
--- a/gulliver/thirdparty/phing/lib/Capsule.php
+++ b/gulliver/thirdparty/phing/lib/Capsule.php
@@ -117,7 +117,15 @@ class Capsule {
         
         // extract variables into local namespace
         extract($this->vars);
-        
+
+        $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );
+        $docuroot = explode( '/', $realdocuroot );
+        array_pop( $docuroot );
+        $pathhome = implode( '/', $docuroot ) . '/';
+        array_pop( $docuroot );
+        $pathTrunk = implode( '/', $docuroot ) . '/';
+        require_once($pathTrunk.'gulliver/system/class.inputfilter.php');
+        $filter = new InputFilter();
         // prepend template path to include path, 
         // so that include "path/relative/to/templates"; can be used within templates
         $__old_inc_path = ini_get('include_path');
@@ -126,11 +134,15 @@ class Capsule {
         if(strpos($path,":")>0){
             $firstPath = explode(":", $this->templatePath . PATH_SEPARATOR . $__old_inc_path);
             if (is_dir($firstPath[0])) {
-                ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path);
+                $incPath = $this->templatePath . PATH_SEPARATOR . $__old_inc_path;
+                $incPath = $filter->validateInput($incPath, 'path');
+                ini_set('include_path', $incPath);
             } 
         } else {
             if(is_dir($this->templatePath . PATH_SEPARATOR . $__old_inc_path)) {
-                ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path);
+                $incPath = $this->templatePath . PATH_SEPARATOR . $__old_inc_path;
+                $incPath = $filter->validateInput($incPath, 'path');
+                ini_set('include_path', $incPath);
             }
         }
                 
diff --git a/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php b/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php
index 317036bc8..5f1758c3c 100644
--- a/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php
+++ b/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php
@@ -106,10 +106,20 @@ class IncludePathTask extends TaskPhing {
         $add_parts = explode(PATH_SEPARATOR, $this->classpath);
         $new_parts = array_diff($add_parts, $curr_parts);
         
+        $realdocuroot = str_replace( '\\', '/', $_SERVER['DOCUMENT_ROOT'] );
+        $docuroot = explode( '/', $realdocuroot );
+        array_pop( $docuroot );
+        $pathhome = implode( '/', $docuroot ) . '/';
+        array_pop( $docuroot );
+        $pathTrunk = implode( '/', $docuroot ) . '/';
+        require_once($pathTrunk.'gulliver/system/class.inputfilter.php');
+        $filter = new InputFilter();
         if ($new_parts) {
             $this->log("Prepending new include_path components: " . implode(PATH_SEPARATOR, $new_parts), PROJECT_MSG_VERBOSE);
-            if(is_dir(implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts)))) {
-                set_include_path(implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts)));
+            $dir = implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts));
+            $dir = $filter->validateInput($dir, 'path');
+            if(is_dir($dir)) {
+                set_include_path($dir);
             }
         }
         
diff --git a/workflow/engine/bin/tasks/cliAddons.php b/workflow/engine/bin/tasks/cliAddons.php
index 1fdffd8cf..37a44d61c 100644
--- a/workflow/engine/bin/tasks/cliAddons.php
+++ b/workflow/engine/bin/tasks/cliAddons.php
@@ -133,7 +133,7 @@ function change_hash($command, $opts)
             $workspace->close();
             CLI::logging(pakeColor::colorize("Changed...", "ERROR") . "\n");
         } catch (Exception $e) {
-            echo "> Error:   ".CLI::error($e->getMessage()) . "\n";
+            echo "> Error:   ".CLI::error(G::getErrorMessage($e)) . "\n";
         }
     }
 }
diff --git a/workflow/engine/bin/tasks/cliMafe.php b/workflow/engine/bin/tasks/cliMafe.php
index d1b0f35d1..e185a769e 100644
--- a/workflow/engine/bin/tasks/cliMafe.php
+++ b/workflow/engine/bin/tasks/cliMafe.php
@@ -62,7 +62,7 @@ function run_create_translation($args, $opts)
             echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n";
             $translation->generateTransaltionMafe($lang);
         } catch (Exception $e) {
-            echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n";
+            echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error(G::getErrorMessage($e)) . "\n";
         }
     }
 
diff --git a/workflow/engine/classes/class.labelsGmail.php b/workflow/engine/classes/class.labelsGmail.php
index a0771a6d7..f7bcc290b 100644
--- a/workflow/engine/classes/class.labelsGmail.php
+++ b/workflow/engine/classes/class.labelsGmail.php
@@ -13,7 +13,7 @@ class labelsGmail
                 $labels = array_merge($labels, $labelsResponse->getLabels());
             }
         } catch (Exception $e) {
-            print G::LoadTranslation("ID_PMGMAIL_GENERAL_ERROR") . $e->getMessage();
+            print G::LoadTranslation("ID_PMGMAIL_GENERAL_ERROR") . G::getErrorMessage($e);
             throw ($e);
         }
         return $labels;
@@ -37,7 +37,7 @@ class labelsGmail
         try {
             $message = $service->users_messages->modify($userId, $messageId, $mods);
         } catch (Exception $e) {
-            print G::LoadTranslation("ID_PMGMAIL_GENERAL_ERROR") . $e->getMessage();
+            print G::LoadTranslation("ID_PMGMAIL_GENERAL_ERROR") . G::getErrorMessage($e);
             throw ($e);
         }
     }
@@ -69,7 +69,7 @@ class labelsGmail
                     $messages = array_merge($messages, $messagesResponse->getMessages());
                 }
             } catch (Exception $e) {
-                print G::LoadTranslation("ID_PMGMAIL_GENERAL_ERROR") . $e->getMessage();
+                print G::LoadTranslation("ID_PMGMAIL_GENERAL_ERROR") . G::getErrorMessage($e);
                 throw ($e);
             }
         } while ($pageToken);
diff --git a/workflow/engine/classes/class.pmDynaform.php b/workflow/engine/classes/class.pmDynaform.php
index 1319b12cb..6026948c3 100644
--- a/workflow/engine/classes/class.pmDynaform.php
+++ b/workflow/engine/classes/class.pmDynaform.php
@@ -148,7 +148,7 @@ class pmDynaform
 
     public function jsonr(&$json)
     {
-        if(empty($json)){
+        if (empty($json)) {
             return;
         }
         foreach ($json as $key => &$value) {
@@ -422,18 +422,22 @@ class pmDynaform
                     $oCriteria->add(AppDocumentPeer::APP_DOC_FIELDNAME, $json->name);
                     $oCriteria->add(ContentPeer::CON_CATEGORY, 'APP_DOC_FILENAME');
                     $oCriteria->add(ContentPeer::CON_LANG, $this->lang);
+                    $oCriteria->addDescendingOrderByColumn(AppDocumentPeer::APP_DOC_CREATE_DATE);
+                    $oCriteria->setLimit(1);
                     $rs = AppDocumentPeer::doSelectRS($oCriteria);
                     $rs->setFetchmode(ResultSet::FETCHMODE_ASSOC);
                     $links = array();
                     $labelsFromDb = array();
+                    $appDocUids = array();
                     while ($rs->next()) {
                         $row = $rs->getRow();
-                        $linkDownload = "../cases/cases_ShowDocument?a=" . $row["APP_DOC_UID"] . "&v=" . $row["DOC_VERSION"];
-                        array_push($links, $linkDownload);
-                        array_push($labelsFromDb, $row["CON_VALUE"]);
+                        $links[] = "../cases/cases_ShowDocument?a=" . $row["APP_DOC_UID"] . "&v=" . $row["DOC_VERSION"];
+                        $labelsFromDb[] = $row["CON_VALUE"];
+                        $appDocUids[] = $row["APP_DOC_UID"];
                     }
                     $json->data = new stdClass();
                     $json->data->value = $links;
+                    $json->data->app_doc_uid = $appDocUids;
 
                     if (sizeof($labelsFromDb)) {
                         $json->data->label = G::json_encode($labelsFromDb);
diff --git a/workflow/engine/js/cases/core/pmDynaform.js b/workflow/engine/js/cases/core/pmDynaform.js
index 430b77ff4..a09be2fa9 100644
--- a/workflow/engine/js/cases/core/pmDynaform.js
+++ b/workflow/engine/js/cases/core/pmDynaform.js
@@ -112,8 +112,9 @@ $(window).load(function () {
                         window.dynaform.getForms()[0].applySuccess();
                         window.dynaform.getForms()[0].prepareFormToPost();
                         form.submit();
+                    } else {
+                        return false;
                     }
-                    return false;
                 };
                 if (triggerDebug === true) {
                     showdebug();
diff --git a/workflow/engine/methods/cases/cases_SaveData.php b/workflow/engine/methods/cases/cases_SaveData.php
index a03868e07..d9349c2bd 100755
--- a/workflow/engine/methods/cases/cases_SaveData.php
+++ b/workflow/engine/methods/cases/cases_SaveData.php
@@ -396,6 +396,11 @@ try {
 
                     G::uploadFile( $arrayFileTmpName[$i], $sPathName, $sFileName );
 
+                    //set variable for APP_DOC_UID
+                    $aData["APP_DATA"][$oAppDocument->getAppDocFieldname()] = G::json_encode([$oAppDocument->getAppDocUid()]);
+                    $aData["APP_DATA"][$oAppDocument->getAppDocFieldname() . "_label"] = G::json_encode([$oAppDocument->getAppDocFilename()]);
+                    $oCase->updateCase($_SESSION['APPLICATION'], $aData);
+
                     //Plugin Hook PM_UPLOAD_DOCUMENT for upload document
                     $oPluginRegistry = &PMPluginRegistry::getSingleton();
 
diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php
index 5fff3c309..643d59f19 100755
--- a/workflow/engine/methods/processes/processes_Ajax.php
+++ b/workflow/engine/methods/processes/processes_Ajax.php
@@ -190,12 +190,17 @@ try {
             include (PATH_METHODS . 'processes/processes_webEntryValidate.php');
             break;
         case 'webEntry_delete':
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
             $form = $_REQUEST;
             if(file_exists(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . $form['FILENAME'])) {
-                unlink(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . $form['FILENAME']);
+                unlink($filter->validateInput(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" .
+                    PATH_SEP . $form['PRO_UID'] . PATH_SEP . $form['FILENAME'], 'path'));
             }
             if(file_exists(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . str_replace(".php", "Post", $form['FILENAME']) . ".php")) {
-                unlink(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" . PATH_SEP . $form['PRO_UID'] . PATH_SEP . str_replace(".php", "Post", $form['FILENAME']) . ".php");
+                unlink($filter->validateInput(PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "public" .
+                    PATH_SEP . $form['PRO_UID'] . PATH_SEP . str_replace(".php", "Post", $form['FILENAME']) . ".php",
+                'path'));
             }
             $oProcessMap->webEntry($_REQUEST['PRO_UID']);
             G::auditLog('WebEntry','Delete web entry ('.$form['FILENAME'].') in process "'.$resultProcess['PRO_TITLE'].'"');
diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
index 9192cd850..3234f564c 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
@@ -1728,12 +1728,13 @@ class Cases
      * @param string $app_uid, Uid for case
      * @param array $app_data, Data for case variables
      * @param string $dyn_uid, Uid for dynaform
+     * @param string $del_index, Index for case
      * @param string $usr_uid, Uid for user
      *
      * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
      * @copyright Colosa - Bolivia
      */
-    public function setCaseVariables($app_uid, $app_data, $dyn_uid = null, $usr_uid)
+    public function setCaseVariables($app_uid, $app_data, $dyn_uid = null, $usr_uid ,$del_index = 0)
     {
         Validator::isString($app_uid, '$app_uid');
         Validator::appUid($app_uid, '$app_uid');
@@ -1771,7 +1772,7 @@ class Cases
         $_SESSION['USER_LOGGED'] = $usr_uid;
 
         $case = new \Cases();
-        $fields = $case->loadCase($app_uid);
+        $fields = $case->loadCase($app_uid, $del_index);
         $_POST['form'] = $app_data;
 
         if (!is_null($dyn_uid) && $dyn_uid != '') {
@@ -1783,6 +1784,17 @@ class Cases
             }
         }
 
+        if (!is_null($dyn_uid) && $del_index > 0) {
+            //save data
+            $data = array();
+            $data['APP_NUMBER'] = $fields['APP_NUMBER'];
+            $data['APP_DATA'] = $fields['APP_DATA'];
+            $data['DEL_INDEX'] = $del_index;
+            $data['TAS_UID'] = $fields['TAS_UID'];;
+            $data['CURRENT_DYNAFORM'] = $dyn_uid;
+            $data['USER_UID'] = $usr_uid;
+            $data['PRO_UID'] = $fields['PRO_UID'];
+        }
         $data['APP_DATA'] = array_merge($fields['APP_DATA'], $_POST['form']);
         $case->updateCase($app_uid, $data);
     }
diff --git a/workflow/engine/src/ProcessMaker/Services/Api/Cases.php b/workflow/engine/src/ProcessMaker/Services/Api/Cases.php
index 85715ec95..3a90ddf6b 100644
--- a/workflow/engine/src/ProcessMaker/Services/Api/Cases.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Cases.php
@@ -862,19 +862,20 @@ class Cases extends Api
      * @param string $app_uid {@min 1}{@max 32}
      * @param array $request_data
      * @param string $dyn_uid {@from path}
+     * @param string $del_index {@from path}
      *
      * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
      * @copyright Colosa - Bolivia
      *
      * @url PUT /:app_uid/variable
      */
-    public function doPutCaseVariables($app_uid, $request_data, $dyn_uid = '')
+    public function doPutCaseVariables($app_uid, $request_data, $dyn_uid = '', $del_index = 0)
     {
         try {
             $usr_uid = $this->getUserId();
             $cases = new \ProcessMaker\BusinessModel\Cases();
             $request_data = \ProcessMaker\Util\DateTime::convertDataToUtc($request_data);
-            $cases->setCaseVariables($app_uid, $request_data, $dyn_uid, $usr_uid);
+            $cases->setCaseVariables($app_uid, $request_data, $dyn_uid, $usr_uid, $del_index);
         } catch (\Exception $e) {
             throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
         }
diff --git a/workflow/engine/src/ProcessMaker/Services/Api/Light.php b/workflow/engine/src/ProcessMaker/Services/Api/Light.php
index 761b9885d..312206793 100644
--- a/workflow/engine/src/ProcessMaker/Services/Api/Light.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Light.php
@@ -18,6 +18,7 @@ use \ProcessMaker\Util\DateTime;
 class Light extends Api
 {
 
+    private $regexNull = '/^null$/i';
     private $arrayFieldIso8601 = [
         // request lists
         'newerThan',
@@ -137,6 +138,10 @@ class Light extends Api
         $oldestthan =''
     ) {
         try {
+            if (preg_match($this->regexNull, $newerThan)) {
+                return [];
+            }
+
             $dataList['userId'] = $this->getUserId();
             $dataList['action'] = 'todo';
             $dataList['paged']  = true;
@@ -230,6 +235,10 @@ class Light extends Api
         $oldestthan =''
     ) {
         try {
+            if (preg_match($this->regexNull, $newerThan)) {
+                return [];
+            }
+
             $dataList['userId'] = $this->getUserId();
             $dataList['action'] = 'draft';
             $dataList['paged']  = true;
@@ -325,6 +334,10 @@ class Light extends Api
         $oldestthan =''
     ) {
         try {
+            if (preg_match($this->regexNull, $newerThan)) {
+                return [];
+            }
+
             $dataList['userId'] = $this->getUserId();
             $dataList['action'] = 'sent';
             $dataList['paged']  = $paged;
@@ -426,6 +439,10 @@ class Light extends Api
         $oldestthan = ''
     ) {
         try {
+            if (preg_match($this->regexNull, $newerThan)) {
+                return [];
+            }
+
             $dataList['userId'] = $this->getUserId();
             $dataList['action'] = 'paused';
             $dataList['paged']  = true;
@@ -519,6 +536,10 @@ class Light extends Api
         $oldestthan =''
     ) {
         try {
+            if (preg_match($this->regexNull, $newerThan)) {
+                return [];
+            }
+
             $dataList['userId'] = $this->getUserId();
             $dataList['action'] = 'unassigned';
             $dataList['paged']  = false;