Index: branches/5.2.x/core/units/helpers/upload_helper.php
===================================================================
diff -u -N -r16002 -r16416
--- branches/5.2.x/core/units/helpers/upload_helper.php	(.../5.3.x/core/units/helpers/upload_helper.php)	(revision 16002)
+++ branches/5.2.x/core/units/helpers/upload_helper.php	(.../5.2.x/core/units/helpers/upload_helper.php)	(revision 16416)
@@ -61,9 +61,7 @@
 			throw new kUploaderException('File size exceeds allowed limit.', 413);
 		}
 
-		if ( !$this->Application->isAdmin ) {
-			$value = array_map('htmlspecialchars_decode', $value);
-		}
+		$value = $this->Application->unescapeRequestVariable($value);
 
 		$tmp_path = WRITEABLE . '/tmp/';
 		$filename = $this->getUploadedFilename() . '.tmp';
@@ -99,8 +97,11 @@
 
 		$this->deleteTempFiles($tmp_path);
 
-		if ( file_exists($tmp_path . 'resized/') ) {
-			$this->deleteTempFiles($tmp_path . 'resized/');
+		$thumbs_path = preg_replace('/^' . preg_quote(FULL_PATH, '/') . '/', '', $tmp_path, 1);
+		$thumbs_path = FULL_PATH . THUMBS_PATH . $thumbs_path;
+
+		if ( file_exists($thumbs_path) ) {
+			$this->deleteTempFiles($thumbs_path);
 		}
 
 		return preg_replace('/^' . preg_quote($id, '/') . '_/', '', $filename);
@@ -194,13 +195,10 @@
 	 */
 	protected function getStorageFormat($field_name, kEvent $event)
 	{
-		$config = $event->getUnitConfig();
-		$field_options = $config->getFieldByName($field_name);
+		$fields = $this->Application->getUnitOption($event->Prefix, 'Fields');
+		$virtual_fields = $this->Application->getUnitOption($event->Prefix, 'VirtualFields');
+		$field_options = array_key_exists($field_name, $fields) ? $fields[$field_name] : $virtual_fields[$field_name];
 
-		if ( !$field_options ) {
-			$field_options = $config->getVirtualFieldByName($field_name);
-		}
-
 		return isset($field_options['storage_format']) ? $field_options['storage_format'] : false;
 	}
 
@@ -264,8 +262,8 @@
 		$files = glob($path . '*.*');
 		$max_file_date = strtotime('-1 day');
 
-		foreach ($files as $file) {
-			if (filemtime($file) < $max_file_date) {
+		foreach ( $files as $file ) {
+			if ( filemtime($file) < $max_file_date ) {
 				unlink($file);
 			}
 		}
@@ -316,11 +314,8 @@
 	protected function getSafeFilename()
 	{
 		$filename = $this->Application->GetVar('file');
+		$filename = $this->Application->unescapeRequestVariable($filename);
 
-		if ( !$this->Application->isAdmin ) {
-			$filename = htmlspecialchars_decode($filename);
-		}
-
 		if ( (strpos($filename, '../') !== false) || (trim($filename) !== $filename) ) {
 			// when relative paths or special chars are found template names from url, then it's hacking attempt
 			return false;