Index: jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java	(revision 7453019c2afdb03ebfe2d51c5f117b81b0b314f1)
+++ jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java	(date 1555937218000)
@@ -660,6 +660,11 @@
             throw new WikiException(  "attach.unwanted.file"  );
         }
 
+        // prevent XSS by using illegal file names
+        if ( StringUtils.containsAny(filename,"`<>&")) {
+            throw new WikiException(  "attach.unwanted.file"  );
+        }
+
         //
         //  Some browser send the full path info with the filename, so we need
         //  to remove it here by simply splitting along slashes and then taking the path.