[security] Fixed issue #14377: XSS in kcfinder upload

Dev: just need to filter when file is not uploaded

third_party/kcfinder/core/class/browser.php

@@ -710,7 +710,7 @@ protected function moveUploadFile($file, $dir) {
         if ($message !== true) {
             if (isset($file['tmp_name']))
                 @unlink($file['tmp_name']);
-            return "{$file['name']}: $message";
+            return $this->htmlData($file['name']) . ": " . $message;
         }
 
         $filename = $this->normalizeFilename($file['name']);