diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index cb89898cbdf..de1a77b16a9 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -486,16 +486,17 @@ function dol_move($srcfile, $destfile, $newmask=0, $overwriteifexists=1)
 }
 
 /**
- *	Unescape a file submitted by upload. PHP escape char " and only char " into $FILES with %22
- *  This is a bug because when file contains %22, it is not escape, so there is no way to retrieve original value.
- *  So best solution is to keep " as %22 into uploaded filename.
+ *	Unescape a file submitted by upload. PHP escape char " (%22) and char ' (%27) into $FILES
+ *	Before= Capture d\'écran.doc  After= Capture d'écran.doc
  *
  *	@param	string	$filename		Filename
  */
 function dol_unescapefile($filename)
 {
-    //return stripslashes($filename);    // FIXME
-    return $filename;
+	// Remove path information and dots around the filename, to prevent uploading
+	// into different directories or replacing hidden system files.
+	// Also remove control characters and spaces (\x00..\x20) around the filename:
+	return trim(basename(stripslashes($filename)), ".\x00..\x20");
 }
 
 /**