diff --git a/files/upload.php b/files/upload.php
old mode 100644
new mode 100755
index 1190b466eac690bf8a849707a673b1f69fdee608..e84cf8303db7cb21443180992f8e15ccbb7f4226
--- a/files/upload.php
+++ b/files/upload.php
@@ -22,11 +22,9 @@
 */
 require_once('../inc/lib_base.php');
 
-// sleep(5); //immitate slow internet.
-
 $fileName=$_FILES['file']['name'];
 $source=$_FILES['file']['tmp_name'];
-$target=$_GET['dir'].'/'.$fileName;
+$target=stripslashes($_GET['dir']).'/'.$fileName;
 if(isset($_SESSION['username']) and $_SESSION['username'] and strpos($_GET['dir'],'..')===false){
    if(OC_FILESYSTEM::fromTmpFile($source,$target)){
       echo 'true';
diff --git a/js/filebrowser.js b/js/filebrowser.js
index 1ad37ebcf3f60bfe2304eb3d29ed36f7d9473a3f..a12a7cd715c6ef684bf3ce00ca3d03305ede6bac 100644
--- a/js/filebrowser.js
+++ b/js/filebrowser.js
@@ -310,7 +310,7 @@ OC_FILES.browser.show_callback=function(content){
 		OC_FILES.browser.files.show(null,content);
 	}
 	if(OC_FILES.uploadForm){
-		OC_FILES.uploadForm.setAttribute('action','files/upload.php?dir='+dir);
+		OC_FILES.uploadForm.setAttribute('action','files/upload.php?dir='+encodeURIComponent(dir));
 	}
 }
 
@@ -423,7 +423,7 @@ OC_FILES.browser.showuploader=function(dir,parent,max_upload){
 	var iframeId=OC_FILES.uploadIFrames.length
 	OC_FILES.uploadForm=document.createElement('form');
 	OC_FILES.uploadForm.setAttribute('target','uploadIFrame'+iframeId);
-	OC_FILES.uploadForm.setAttribute('action','files/upload.php?dir='+dir);
+	OC_FILES.uploadForm.setAttribute('action','files/upload.php?dir='+encodeURIComponent(dir));
 	OC_FILES.uploadForm.method='post';
 	OC_FILES.uploadForm.setAttribute('enctype','multipart/form-data');
 	OC_FILES.uploadIFrames[iframeId]=document.createElement('iframe');