Index: admin_templates/incs/form_blocks.tpl
===================================================================
--- admin_templates/incs/form_blocks.tpl	(revision 15338)
+++ admin_templates/incs/form_blocks.tpl	(working copy)
@@ -365,9 +365,9 @@
 						prefix : '<inp2:m_Param name="prefix"/>',
 						field : '<inp2:m_Param name="field"/>',
 						thumb_format: '<inp2:{$prefix}_FieldOption field="$field" option="thumb_format"/>',
-						urls : '<inp2:{$prefix}_Field field="$field" format="file_urls" js_escape="1"/>',
-						names : '<inp2:{$prefix}_Field field="$field" format="file_names" js_escape="1"/>',
-						sizes : '<inp2:{$prefix}_Field field="$field" format="file_sizes" js_escape="1"/>',
+						urls : '<inp2:{$prefix}_Field field="$field" format="file_urls" no_special="1" js_escape="1"/>',
+						names : '<inp2:{$prefix}_Field field="$field" format="file_names" no_special="1" js_escape="1"/>',
+						sizes : '<inp2:{$prefix}_Field field="$field" format="file_sizes" no_special="1" js_escape="1"/>',
 						flashsid : '<inp2:m_SID/>',
 						uploadURL : '<inp2:m_t pass="all,$prefix" {$prefix}_event="OnUploadFile" js_escape="1" no_amp="1" />',
 						deleteURL : '<inp2:m_t pass="all,$prefix" {$prefix}_event="OnDeleteFile" field="#FIELD#" file="#FILE#" js_escape="1" no_amp="1"/>',
Index: kernel/db/db_event_handler.php
===================================================================
--- kernel/db/db_event_handler.php	(revision 15338)
+++ kernel/db/db_event_handler.php	(working copy)
@@ -3114,6 +3114,10 @@
 				return;
 			}
 
+			if ( !$this->Application->isAdmin ) {
+				$value = array_map('htmlspecialchars_decode', $value);
+			}
+
 			$tmp_path = WRITEABLE . '/tmp/';
 			$fname = $value['name'];
 			$id = $this->Application->GetVar('id');
@@ -3232,8 +3236,13 @@
 		protected function OnDeleteFile(kEvent $event)
 		{
 			$event->status = kEvent::erSTOP;
+			$filename = $this->Application->GetVar('file');
 
-			if ( strpos($this->Application->GetVar('file'), '../') !== false ) {
+			if ( !$this->Application->isAdmin ) {
+				$filename = htmlspecialchars_decode($filename);
+			}
+
+			if ( strpos($filename, '../') !== false ) {
 				return;
 			}
 
@@ -3243,7 +3252,7 @@
 			$var_name = $this->_getPendingActionVariableName($event);
 			$schedule = $this->Application->RecallVar($var_name);
 			$schedule = $schedule ? unserialize($schedule) : Array ();
-			$schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $this->Application->GetVar('file'));
+			$schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $filename);
 			$this->Application->StoreVar($var_name, serialize($schedule));
 		}
 
@@ -3259,6 +3268,11 @@
 			$event->status = kEvent::erSTOP;
 
 			$file = $this->Application->GetVar('file');
+
+			if ( !$this->Application->isAdmin ) {
+				$file = htmlspecialchars_decode($file);
+			}
+
 			if ( (strpos($file, '../') !== false) || (trim($file) !== $file) ) {
 				// when relative paths or special chars are found template names from url, then it's hacking attempt
 				return;
Index: kernel/utility/formatters/upload_formatter.php
===================================================================
--- kernel/utility/formatters/upload_formatter.php	(revision 15338)
+++ kernel/utility/formatters/upload_formatter.php	(working copy)
@@ -24,7 +24,7 @@
 	 *
 	 * @var FileHelper
 	 */
-	var $fileHelper = null;
+	var $fileHelper = NULL;
 
 	public function __construct()
 	{
@@ -48,6 +48,11 @@
 	 */
 	public function Parse($value, $field_name, &$object)
 	{
+		if ( !$this->Application->isAdmin ) {
+			// this allows to revert htmlspecialchars call for each field submitted on front-end
+			$value = is_array($value) ? array_map('htmlspecialchars_decode', $value) : htmlspecialchars_decode($value);
+		}
+
 		$ret = !is_array($value) ? $value : '';
 		$options = $object->GetFieldOptions($field_name);
 
@@ -76,15 +81,18 @@
 				// no pending files -> return already uploded files
 				return getArrayValue($value, 'upload');
 			}
+
 			$swf_uploaded_ids = explode('|', $value['tmp_ids']);
 			$swf_uploaded_names = explode('|', $value['tmp_names']);
 			$existing = $value['upload'] ? explode('|', $value['upload']) : array();
+
 			if (isset($options['multiple'])) {
 				$max_files = $options['multiple'] == false ? 1 : $options['multiple'];
 			}
 			else {
 				$max_files = 1;
 			}
+
 			$fret = array();
 
 			// don't delete uploaded file, when it's name matches delete file name
@@ -92,6 +100,7 @@
 			$schedule = $this->Application->RecallVar($var_name);
 			$schedule = $schedule ? unserialize($schedule) : Array();
 			$files2delete = Array();
+
 			foreach ($schedule as $data) {
 				if ($data['action'] == 'delete') {
 					$files2delete[] = $data['file'];
@@ -258,7 +267,7 @@
 	 * @param string $format
 	 * @return string
 	 */
-	function Format($value, $field_name, &$object, $format = null)
+	function Format($value, $field_name, &$object, $format = NULL)
 	{
 		if (is_null($value)) {
 			return '';
@@ -303,7 +312,7 @@
 	 * @param bool $force_direct_links
 	 * @return string
 	 */
-	function GetFormatted($value, $field_name, &$object, $format = null, $force_direct_links = null)
+	function GetFormatted($value, $field_name, &$object, $format = NULL, $force_direct_links = NULL)
 	{
 		if (!$format) {
 			return $value;
Index: kernel/utility/http_query.php
===================================================================
--- kernel/utility/http_query.php	(revision 15338)
+++ kernel/utility/http_query.php	(working copy)
@@ -269,7 +269,7 @@
 
 				case 'F';
 					$this->convertFiles();
-					$this->Files = $this->MergeVars($_FILES, false); //do not strip slashes!
+					$this->Files = $this->MergeVars($_FILES); // , false); //do not strip slashes!
 					break;
 			}
 		}