diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php
index 8ded3a292d..aa5c61e959 100644
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@@ -662,16 +662,17 @@ function insertFile($file_info, $module_srl, $upload_target_srl, $download_count
 			}
 		}
 
+		// https://github.com/xpressengine/xe-core/issues/1713
+		$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
+		$file_info['name'] = removeHackTag($file_info['name']);
+		$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
+
 		// Get random number generator
 		$random = new Password();
-		
+
 		// Set upload path by checking if the attachement is an image or other kinds of file
 		if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name']))
 		{
-			// Immediately remove the direct file if it has any kind of extensions for hacking
-			$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
-			$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
-
 			$path = sprintf("./files/attach/images/%s/%s", $module_srl,getNumberingPath($upload_target_srl,3));
 
 			// special character to '_'
diff --git a/modules/file/file.model.php b/modules/file/file.model.php
index dcfddc9073..83507bbc98 100644
--- a/modules/file/file.model.php
+++ b/modules/file/file.model.php
@@ -220,6 +220,7 @@ function getFiles($upload_target_srl, $columnList = array(), $sortIndex = 'file_
 		{
 			$file = $file_list[$i];
 			$file->source_filename = stripslashes($file->source_filename);
+			$file->source_filename = htmlspecialchars($file->source_filename);
 			$file->download_url = $this->getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
 			$file_list[$i] = $file;
 		}