diff --git a/workflow/engine/classes/class.wsTools.php b/workflow/engine/classes/class.wsTools.php
index 4a075a6f5..828c01560 100755
--- a/workflow/engine/classes/class.wsTools.php
+++ b/workflow/engine/classes/class.wsTools.php
@@ -1387,6 +1387,9 @@ class workspaceTools
 
     static public function dirPerms($filename, $owner, $group, $perms)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $filename = $filter->xssFilterHard($filename, 'path');
         $chown = @chown($filename, $owner);
         $chgrp = @chgrp($filename, $group);
         $chmod = @chmod($filename, $perms);
diff --git a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
index af692fa04..0014b64f9 100755
--- a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
@@ -33,6 +33,8 @@ G::LoadClass( 'dynaFormField' );
 G::LoadClass( 'process' );
 G::LoadClass( 'dynaform' );
 //G::LoadClass('configuration');
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 
 
 $G_MAIN_MENU = 'processmaker';
@@ -73,9 +75,10 @@ if (! file_exists( PATH_DYNAFORM . $file . '.xml' )) {
 /* End Comment */
 
   /* Start Comment: Create and temporal copy. */
-  $copy = implode( '', file( PATH_DYNAFORM . $file . '.xml' ) );
+$pathFile = $filter->xssFilterHard(PATH_DYNAFORM . $file . '.xml', 'path');
+$copy = implode( '', file( $pathFile ) );
 $file .= '_tmp0';
-$fcopy = fopen( PATH_DYNAFORM . $file . '.xml', "w" );
+$fcopy = fopen( $pathFile , "w" );
 fwrite( $fcopy, $copy );
 fclose( $fcopy );
 /* End Comment */
diff --git a/workflow/engine/methods/dynaforms/dynaforms_Save_as.php b/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
index 50954023e..89625d5b2 100755
--- a/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
@@ -36,6 +36,8 @@ if (! class_exists( "FieldCondition" )) {
 
 try {
 
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
     $frm = $_POST['form'];
     $PRO_UID = $frm['PRO_UID'];
     $DYN_UID = $frm['DYN_UID'];
@@ -62,6 +64,7 @@ try {
     $hd = fopen( PATH_DYNAFORM . $PRO_UID . '/' . $DYN_UID . '.xml', "r" );
     $hd1 = fopen( PATH_DYNAFORM . $PRO_UID . '/' . $dynUid . '.xml', "w" );
     $templateFilename = PATH_DYNAFORM . $PRO_UID . '/' . $DYN_UID . '.html';
+    $templateFilename = $filter->xssFilterHard($templateFilename, 'path');
 
     // also make a copy of the template file in case that the html edition is enabled
     if (file_exists( $templateFilename )) {
diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php
index 8339d0528..b6578b3e3 100755
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -320,6 +320,8 @@ function importSkin ()
 function exportSkin ($skinToExport = "")
 {
     try {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         if (! isset( $_REQUEST['SKIN_FOLDER_ID'] )) {
             throw (new Exception( G::LoadTranslation( 'ID_SKIN_NAME_REQUIRED' ) ));
         }
@@ -329,6 +331,7 @@ function exportSkin ($skinToExport = "")
         $skinFolderBase = PATH_CUSTOM_SKINS . $skinName;
         $skinFolder = $skinFolderBase . PATH_SEP;
         $skinTar = PATH_CUSTOM_SKINS . $skinName . '.tar';
+        $skinTar = $filter->xssFilterHard($skinTar, 'path');
         if (! is_dir( $skinFolder )) {
             throw (new Exception( G::LoadTranslation( 'ID_SKIN_DOESNT_EXIST' ) ));
         }