diff --git a/.gitignore b/.gitignore
index dbb8db2017..f1e8cf5613 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,6 +57,9 @@ ftpsync.settings
 Thumbs.db
 Desktop.ini
 
+# SQLite database
+/core/database/*.sqlite
+
 # all dotfiles and dotfolders except do not ignore .gitignore
 **/.*
 !.gitignore
diff --git a/core/functions/actions/files.php b/core/functions/actions/files.php
index e2fb6d2b20..b4673fec47 100644
--- a/core/functions/actions/files.php
+++ b/core/functions/actions/files.php
@@ -73,6 +73,10 @@ function ls($curpath, array $options = [])
     {
         extract($options, EXTR_OVERWRITE);
 
+        $curpath = rtrim(str_replace('\\', '/', $curpath), '/') . '/';
+        $filemanager_path = rtrim(str_replace('\\', '/', $filemanager_path), '/');
+        $base_path = rtrim(str_replace('\\', '/', $base_path), '/');
+
         $_lang = ManagerTheme::getLexicon();
         $_style = ManagerTheme::getStyle();
         $dircounter = 0;
@@ -80,10 +84,9 @@ function ls($curpath, array $options = [])
         $filesizes = 0;
         $dirs_array = [];
         $files_array = [];
-        $curpath = str_replace('//', '/', $curpath . '/');
 
         if (!is_dir($curpath)) {
-            echo 'Invalid path "', $curpath, '"<br />';
+            echo 'Invalid path "', htmlspecialchars($curpath, ENT_QUOTES, 'UTF-8'), '"<br />';
 
             return;
         }
@@ -95,13 +98,17 @@ function ls($curpath, array $options = [])
             if ($file === '..' || $file === '.') {
                 continue;
             }
+            $rel_newpath = ltrim(substr($newpath, strlen($filemanager_path)), '/');
+            $rel_web = ltrim(substr($newpath, strlen($base_path)), '/');
             if (is_dir($newpath)) {
                 $dirs_array[$dircounter]['dir'] = $newpath;
                 $dirs_array[$dircounter]['stats'] = lstat($newpath);
                 if ($file === '..' || $file === '.') {
                     continue;
                 } elseif (!in_array($file, $excludes) && !in_array($newpath, $protected_path)) {
-                    $dirs_array[$dircounter]['text'] = '<i class="' . $_style['icon_folder'] . ' FilesFolder"></i> <a href="index.php?a=31&mode=drill&path=' . urlencode($newpath) . '"><b>' . $file . '</b></a>';
+                    $dirs_array[$dircounter]['text'] = '<i class="' . $_style['icon_folder'] . ' FilesFolder"></i> '
+                        . '<a href="index.php?a=31&mode=drill&path=' . urlencode($rel_newpath) . '"><b>'
+                        . htmlspecialchars($file, ENT_QUOTES, 'UTF-8') . '</b></a>';
 
                     $dfiles = scandir($newpath);
                     foreach ($dfiles as $i => $infile) {
@@ -114,38 +121,70 @@ function ls($curpath, array $options = [])
                     }
                     $file_exists = (0 < count($dfiles)) ? 'file_exists' : '';
 
-                    $dirs_array[$dircounter]['delete'] = is_writable($curpath) ? '<a href="javascript: deleteFolder(\'' . urlencode($file) . '\',\'' . $file_exists . '\');"><i class="' . $_style['icon_trash'] . '" title="' . $_lang['file_delete_folder'] . '"></i></a>' : '';
+                    $dirs_array[$dircounter]['delete'] = is_writable($curpath) ? '<a href="javascript: deleteFolder(\''
+                        . urlencode($file) . '\',\'' . $file_exists . '\');"><i class="' . $_style['icon_trash']
+                        . '" title="' . $_lang['file_delete_folder'] . '"></i></a>' : '';
                 } else {
-                    $dirs_array[$dircounter]['text'] = '<span><i class="' . $_style['icon_folder'] . ' FilesDeletedFolder"></i> ' . $file . '</span>';
-                    $dirs_array[$dircounter]['delete'] = is_writable($curpath) ? '<span class="disabled"><i class="' . $_style['icon_trash'] . '" title="' . $_lang['file_delete_folder'] . '"></i></span>' : '';
+                    $dirs_array[$dircounter]['text'] = '<span><i class="' . $_style['icon_folder']
+                        . ' FilesDeletedFolder"></i> ' . htmlspecialchars($file, ENT_QUOTES, 'UTF-8')
+                        . '</span>';
+                    $dirs_array[$dircounter]['delete'] = is_writable($curpath) ? '<span class="disabled"><i class="'
+                        . $_style['icon_trash'] . '" title="' . $_lang['file_delete_folder'] . '"></i></span>' : '';
                 }
 
-                $dirs_array[$dircounter]['rename'] = is_writable($curpath) ? '<a href="javascript:renameFolder(\'' . urlencode($file) . '\');"><i class="' . $_style['icon_i_cursor'] . '" title="' . $_lang['rename'] . '"></i></a> ' : '';
+                $dirs_array[$dircounter]['rename'] = is_writable($curpath) ? '<a href="javascript:renameFolder(\''
+                    . urlencode($file) . '\');"><i class="' . $_style['icon_i_cursor'] . '" title="' . $_lang['rename']
+                    . '"></i></a> ' : '';
 
                 // increment the counter
                 $dircounter++;
             } else {
                 $type = getExtension($newpath);
-                $files_array[$filecounter]['file'] = $newpath;
+                $files_array[$filecounter]['file'] = $rel_newpath;
                 $files_array[$filecounter]['stats'] = lstat($newpath);
-                $files_array[$filecounter]['text'] = determineIcon($newpath, get_by_key($_REQUEST, 'path', ''), get_by_key($_REQUEST, 'mode', '')) . ' ' . $file;
-                $files_array[$filecounter]['view'] = (in_array($type,
-                    $viewablefiles)) ? '<a href="javascript:;" onclick="viewfile(\'' . $webstart_path . substr($newpath,
-                        $len,
-                        strlen($newpath)) . '\');"><i class="' . $_style['icon_eye'] . '" title="' . $_lang['files_viewfile'] . '"></i></a>' : (($enablefiledownload && in_array($type,
-                        $uploadablefiles)) ? '<a href="' . $webstart_path . implode('/', array_map('rawurlencode',
-                        explode('/', substr($newpath, $len,
-                            strlen($newpath))))) . '" style="cursor:pointer;" download><i class="' . $_style['icon_download'] . '" title="' . $_lang['file_download_file'] . '"></i></a>' : '<span class="disabled"><i class="' . $_style['icon_eye'] . '" title="' . $_lang['files_viewfile'] . '"></i></span>');
-                $files_array[$filecounter]['view'] = (in_array($type,
-                    $inlineviewablefiles)) ? '<a href="index.php?a=31&mode=view&path=' . urlencode($newpath) . '"><i class="' . $_style['icon_eye'] . '" title="' . $_lang['files_viewfile'] . '"></i></a>' : $files_array[$filecounter]['view'];
-                $files_array[$filecounter]['unzip'] = ($enablefileunzip && $type == '.zip') ? '<a href="javascript:unzipFile(\'' . urlencode($file) . '\');"><i class="' . $_style['icon_archive'] . '" title="' . $_lang['file_download_unzip'] . '"></i></a>' : '';
+                $files_array[$filecounter]['text'] = determineIcon($rel_newpath, get_by_key($_REQUEST, 'path', ''),
+                        get_by_key($_REQUEST, 'mode', '')) . ' ' . htmlspecialchars($file, ENT_QUOTES,
+                        'UTF-8');
+                $files_array[$filecounter]['view'] = in_array($type, $viewablefiles)
+                    ? '<a href="javascript:;" onclick="viewfile(\'../' . addslashes($rel_web) . '\');"><i class="' . $_style['icon_eye'] . '" title="'
+                    . $_lang['files_viewfile'] . '"></i></a>'
+                    : (($enablefiledownload && in_array($type, $uploadablefiles))
+                        ? '<a href="../' . implode('/', array_map('rawurlencode',
+                            explode('/', $rel_web)))
+                        . '" style="cursor:pointer;" download><i class="' . $_style['icon_download'] . '" title="'
+                        . $_lang['file_download_file'] . '"></i></a>' : '<span class="disabled"><i class="'
+                        . $_style['icon_eye'] . '" title="' . $_lang['files_viewfile'] . '"></i></span>');
+                $files_array[$filecounter]['view'] = (in_array($type, $inlineviewablefiles))
+                    ? '<a href="index.php?a=31&mode=view&path=' . urlencode($rel_newpath) . '"><i class="'
+                    . $_style['icon_eye'] . '" title="' . $_lang['files_viewfile'] . '"></i></a>'
+                    : $files_array[$filecounter]['view'];
+                $files_array[$filecounter]['unzip'] = ($enablefileunzip && $type == '.zip')
+                    ? '<a href="javascript:unzipFile(\'' . urlencode($file) . '\');"><i class="'
+                    . $_style['icon_archive'] . '" title="' . $_lang['file_download_unzip'] . '"></i></a>'
+                    : '';
                 $files_array[$filecounter]['edit'] = (in_array($type,
-                        $editablefiles) && is_writable($curpath) && is_writable($newpath)) ? '<a href="index.php?a=31&mode=edit&path=' . urlencode($newpath) . '#file_editfile"><i class="' . $_style['icon_edit'] . '" title="' . $_lang['files_editfile'] . '"></i></a>' : '<span class="disabled"><i class="' . $_style['icon_edit'] . '" title="' . $_lang['files_editfile'] . '"></i></span>';
-                $files_array[$filecounter]['duplicate'] = (in_array($type,
-                        $editablefiles) && is_writable($curpath) && is_writable($newpath)) ? '<a href="javascript:duplicateFile(\'' . urlencode($file) . '\');"><i class="' . $_style['icon_clone'] . '" title="' . $_lang['duplicate'] . '"></i></a>' : '<span class="disabled"><i class="' . $_style['icon_clone'] . '" align="absmiddle" title="' . $_lang['duplicate'] . '"></i></span>';
-                $files_array[$filecounter]['rename'] = (in_array($type,
-                        $editablefiles) && is_writable($curpath) && is_writable($newpath)) ? '<a href="javascript:renameFile(\'' . urlencode($file) . '\');"><i class="' . $_style['icon_i_cursor'] . '" align="absmiddle" title="' . $_lang['rename'] . '"></i></a>' : '<span class="disabled"><i class="' . $_style['icon_i_cursor'] . '" align="absmiddle" title="' . $_lang['rename'] . '"></i></span>';
-                $files_array[$filecounter]['delete'] = is_writable($curpath) && is_writable($newpath) ? '<a href="javascript:deleteFile(\'' . urlencode($file) . '\');"><i class="' . $_style['icon_trash'] . '" title="' . $_lang['file_delete_file'] . '"></i></a>' : '<span class="disabled"><i class="' . $_style['icon_trash'] . '" title="' . $_lang['file_delete_file'] . '"></i></span>';
+                        $editablefiles) && is_writable($curpath) && is_writable($newpath))
+                    ? '<a href="index.php?a=31&mode=edit&path=' . urlencode($rel_newpath) . '#file_editfile"><i class="'
+                    . $_style['icon_edit'] . '" title="' . $_lang['files_editfile'] . '"></i></a>'
+                    : '<span class="disabled"><i class="' . $_style['icon_edit'] . '" title="' . $_lang['files_editfile']
+                    . '"></i></span>';
+                $files_array[$filecounter]['duplicate'] = (in_array($type, $editablefiles) && is_writable($curpath)
+                    && is_writable($newpath))
+                    ? '<a href="javascript:duplicateFile(\'' . urlencode($file) . '\');"><i class="' . $_style['icon_clone']
+                    . '" title="' . $_lang['duplicate'] . '"></i></a>'
+                    : '<span class="disabled"><i class="' . $_style['icon_clone'] . '" align="absmiddle" title="'
+                    . $_lang['duplicate'] . '"></i></span>';
+                $files_array[$filecounter]['rename'] = (in_array($type, $editablefiles) && is_writable($curpath)
+                    && is_writable($newpath))
+                    ? '<a href="javascript:renameFile(\'' . urlencode($file) . '\');"><i class="'
+                    . $_style['icon_i_cursor'] . '" align="absmiddle" title="' . $_lang['rename'] . '"></i></a>'
+                    : '<span class="disabled"><i class="' . $_style['icon_i_cursor'] . '" align="absmiddle" title="'
+                    . $_lang['rename'] . '"></i></span>';
+                $files_array[$filecounter]['delete'] = is_writable($curpath) && is_writable($newpath)
+                    ? '<a href="javascript:deleteFile(\'' . urlencode($file) . '\');"><i class="'
+                    . $_style['icon_trash'] . '" title="' . $_lang['file_delete_file'] . '"></i></a>'
+                    : '<span class="disabled"><i class="' . $_style['icon_trash'] . '" title="'
+                    . $_lang['file_delete_file'] . '"></i></span>';
 
                 // increment the counter
                 $filecounter++;
@@ -333,37 +372,43 @@ function unzip($file, $path)
             return 0;
         }
         // end mod
-        $zip = zip_open($file);
-        if ($zip) {
-            $old_umask = umask(0);
-            $path = rtrim($path, '/') . '/';
-            while ($zip_entry = zip_read($zip)) {
-                if (zip_entry_filesize($zip_entry) > 0) {
-                    // str_replace must be used under windows to convert "/" into "\"
-                    $zip_entry_name = zip_entry_name($zip_entry);
-                    $complete_path = $path . str_replace('\\', '/', dirname($zip_entry_name));
-                    $complete_name = $path . str_replace('\\', '/', $zip_entry_name);
-                    if (!file_exists($complete_path)) {
-                        $tmp = '';
-                        foreach (explode('/', $complete_path) AS $k) {
-                            $tmp .= $k . '/';
-                            if (!is_dir($tmp)) {
-                                mkdir($tmp, 0777);
-                            }
-                        }
-                    }
-                    if (zip_entry_open($zip, $zip_entry, 'r')) {
-                        file_put_contents($complete_name, zip_entry_read($zip_entry, zip_entry_filesize($zip_entry)));
-                        zip_entry_close($zip_entry);
-                    }
+
+        $old_umask = umask(0);
+        $path = rtrim(str_replace('\\', '/', realpath($path)), '/\\'); // No trailing slash
+
+        $zip = new ZipArchive();
+        if ($zip->open($file) !== true) {
+            umask($old_umask);
+            return false;
+        }
+        for ($i = 0; $i < $zip->numFiles; $i++) {
+            $stat = $zip->statIndex($i);
+            $filename = str_replace('\\', '/', $stat['name']);
+            if (substr($filename, 0, 1) == '/' || strpos($filename, '..') !== false ||
+                strpos($filename, ':') !== false) {
+                continue; // skip malicious paths
+            }
+            $target = $path . '/' . $filename;
+            // Additional check to ensure target is within path
+            $target_dir = rtrim(str_replace('\\', '/', realpath(dirname($target)) ?: dirname($target)), '/\\');
+            if (strpos($target_dir, $path) !== 0) {
+                continue;
+            }
+            if (substr($filename, -1) == '/') {
+                if (!is_dir($target)) {
+                    mkdir($target, $newfolderaccessmode ?: 0777, true);
                 }
+            } else {
+                $dirname = dirname($target);
+                if (!is_dir($dirname)) {
+                    mkdir($dirname, $newfolderaccessmode ?: 0777, true);
+                }
+                file_put_contents($target, $zip->getFromIndex($i));
             }
-            umask($old_umask);
-            zip_close($zip);
-
-            return true;
         }
-        zip_close($zip);
+        $zip->close();
+        umask($old_umask);
+        return true;
     }
 }
 
@@ -374,6 +419,7 @@ function unzip($file, $path)
      */
     function rrmdir($dir)
     {
+        $dir = str_replace('\\', '/', realpath($dir)); // Canonicalize path
         foreach (glob($dir . '/*') as $file) {
             if (is_dir($file)) {
                 rrmdir($file);
@@ -393,8 +439,14 @@ function rrmdir($dir)
     function fileupload()
     {
         $modx = evolutionCMS();
-        $startpath = is_dir($_REQUEST['path']) ? $_REQUEST['path'] : removeLastPath($_REQUEST['path']);
-        $filemanager_path = evolutionCMS()->getConfig('filemanager_path', MODX_BASE_PATH);
+        $filemanager_path = rtrim(str_replace('\\', '/', realpath(evolutionCMS()->getConfig('filemanager_path', MODX_BASE_PATH))), '/'); // Canonicalize base path
+        $requested_path = ltrim($_REQUEST['path'] ?? '', '/');
+        $startpath = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_path));
+        $startpath = rtrim($startpath, '/');
+        // Ensure startpath is within filemanager_path
+        if (strpos($startpath, $filemanager_path) !== 0 || !is_dir($startpath)) {
+            return '<p><span class="warning">Invalid path.</span></p>';
+        }
         $new_file_permissions = octdec(evolutionCMS()->getConfig('new_file_permissions', '0666'));
         global $_lang, $uploadablefiles;
         $msg = '';
@@ -415,17 +467,21 @@ function fileupload()
                 ], $nameparts, ['file_manager']);
                 $name = implode('.', $nameparts);
             }
+            // Sanitize name to prevent traversal or invalid chars
+            $name = preg_replace('/[^\w\.-]/', '', $name);
+            $name = ltrim($name, '.');
             $userfile['name'] = $name;
             $userfile['type'] = $_FILES['userfile']['type'][$i];
 
             // this seems to be an upload action.
-            $path = MODX_SITE_URL . substr($startpath, strlen($filemanager_path), strlen($startpath));
-            $path = rtrim($path, '/') . '/' . $userfile['name'];
-            $msg .= $path;
+            $rel_path = ltrim(substr($startpath, strlen($filemanager_path)), '/');
+            $path = MODX_SITE_URL . ($rel_path ? $rel_path . '/' : '') . $userfile['name'];
+            $msg .= htmlspecialchars($path, ENT_QUOTES, 'UTF-8');
             if ($userfile['error'] == 0) {
-                $img = (strpos($userfile['type'],
-                        'image') !== false) ? '<br /><img src="' . $path . '" height="75" />' : '';
-                $msg .= "<p>" . $_lang['files_file_type'] . $userfile['type'] . ", " . niceSize(filesize($userfile['tmp_name'])) . $img . '</p>';
+                $img = (strpos($userfile['type'],'image') !== false) ? '<br /><img src="'
+                    . htmlspecialchars($path, ENT_QUOTES, 'UTF-8') . '" height="75" />' : '';
+                $msg .= "<p>" . $_lang['files_file_type'] . htmlspecialchars($userfile['type'], ENT_QUOTES,
+                        'UTF-8') . ", " . niceSize(filesize($userfile['tmp_name'])) . $img . '</p>';
             }
 
             $userfilename = $userfile['tmp_name'];
@@ -435,23 +491,25 @@ function fileupload()
                 if (!checkExtension($userfile['name'])) {
                     $msg .= '<p><span class="warning">' . $_lang['files_filetype_notok'] . '</span></p>';
                 } else {
-                    if (@move_uploaded_file($userfile['tmp_name'], $_POST['path'] . '/' . $userfile['name'])) {
+                    $targetFile = $startpath . '/' . $userfile['name'];
+                    if (@move_uploaded_file($userfile['tmp_name'], $targetFile)) {
                         // Ryan: Repair broken permissions issue with file manager
                         if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') {
-                            @chmod($_POST['path'] . "/" . $userfile['name'], $new_file_permissions);
+                            @chmod($targetFile, $new_file_permissions);
                         }
                         // Ryan: End
                         $msg .= '<p><span class="success">' . $_lang['files_upload_ok'] . '</span></p><hr/>';
 
                         // invoke OnFileManagerUpload event
                         $modx->invokeEvent('OnFileManagerUpload', [
-                            'filepath' => $_POST['path'],
+                            'filepath' => $startpath,
                             'filename' => $userfile['name']
                         ]);
                         // Log the change
-                        logFileChange('upload', $_POST['path'] . '/' . $userfile['name']);
+                        logFileChange('upload', $targetFile);
                     } else {
-                        $msg .= '<p><span class="warning">' . $_lang['files_upload_copyfailed'] . '</span> ' . $_lang["files_upload_permissions_error"] . '</p>';
+                        $msg .= '<p><span class="warning">' . $_lang['files_upload_copyfailed'] . '</span> '
+                            . $_lang["files_upload_permissions_error"] . '</p>';
                     }
                 }
             } else {
@@ -492,15 +550,19 @@ function textsave()
     {
         global $_lang;
 
-        $msg = $_lang['editing_file'];
-        $filename = $_POST['path'];
+        $filemanager_path = rtrim(str_replace('\\', '/', realpath(evolutionCMS()->getConfig('filemanager_path', MODX_BASE_PATH))), '/');
+        $requested_path = ltrim($_POST['path'] ?? '', '/');
+        $filename = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_path));
+        if (strpos($filename, $filemanager_path) !== 0 || !is_file($filename)) {
+            return '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+        }
         $content = $_POST['content'];
 
         // Write $content to our opened file.
         if (file_put_contents($filename, $content) === false) {
-            $msg .= '<span class="warning"><b>' . $_lang['file_not_saved'] . '</b></span><br /><br />';
+            $msg = '<span class="warning"><b>' . $_lang['file_not_saved'] . '</b></span><br /><br />';
         } else {
-            $msg .= '<span class="success"><b>' . $_lang['file_saved'] . '</b></span><br /><br />';
+            $msg = '<span class="success"><b>' . $_lang['file_saved'] . '</b></span><br /><br />';
             $_REQUEST['mode'] = 'edit';
         }
         // Log the change
@@ -518,9 +580,14 @@ function delete_file()
     {
         global $_lang;
 
-        $msg = sprintf($_lang['deleting_file'], str_replace('\\', '/', $_REQUEST['path']));
+        $filemanager_path = rtrim(str_replace('\\', '/', realpath(evolutionCMS()->getConfig('filemanager_path', MODX_BASE_PATH))), '/');
+        $requested_path = ltrim($_REQUEST['path'] ?? '', '/');
+        $file = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_path));
+        if (strpos($file, $filemanager_path) !== 0 || !is_file($file)) {
+            return '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+        }
+        $msg = sprintf($_lang['deleting_file'], str_replace('\\', '/', $file));
 
-        $file = $_REQUEST['path'];
         if (!evolutionCMS()->hasPermission('file_manager') || !@unlink($file)) {
             $msg .= '<span class="warning"><b>' . $_lang['file_not_deleted'] . '</b></span><br /><br />';
         } else {
@@ -582,7 +649,7 @@ function checkToken()
      */
     function makeToken()
     {
-        $newToken = uniqid('');
+        $newToken = uniqid('', true);
         $_SESSION['token'] = $newToken;
 
         return $newToken;
diff --git a/install/index.php b/install/index.php
index d32c5010a5..4ab0a6fe5b 100644
--- a/install/index.php
+++ b/install/index.php
@@ -138,7 +138,11 @@
     if (! file_exists($controller)) {
         die("Invalid install action attempted. [action={$action}]");
     }
-    require $controller;
+    try {
+        require $controller;
+    } catch (Exception $e) {
+        echo $e->getMessage();
+    }
 
     $ph['content'] = ob_get_contents();
     ob_end_clean();
diff --git a/install/src/controllers/connection.php b/install/src/controllers/connection.php
index 9068104d25..6f920b487b 100644
--- a/install/src/controllers/connection.php
+++ b/install/src/controllers/connection.php
@@ -1,4 +1,5 @@
 <?php
+// step 2 part 2
 $installMode = isset($_POST['installmode']) ? (int)$_POST['installmode'] : 0;
 $dbTypes = ['mysql' => 'MySQL', 'pgsql' => 'PostgreSQL', 'sqlite' => 'SQLite'];
 
@@ -72,7 +73,7 @@
                 }
             }
             if (!$conn || !$result) {
-                $upgradeable = (isset($_POST['installmode']) && $_POST['installmode'] === 'new') ? 0 : 2;
+                $upgradeable = ($installMode === 0) ? 0 : 2;
             } else {
                 $upgradeable = 1;
             }
@@ -143,7 +144,7 @@
 $ph['database_name'] = escapeHtmlAttribute(isset($_POST['database_name']) ? $_POST['database_name'] : $database_name);
 $ph['tableprefix'] = escapeHtmlAttribute(isset($_POST['tableprefix']) ? $_POST['tableprefix'] : $table_prefix);
 $ph['database_collation'] = escapeHtmlAttribute(isset($_POST['database_collation']) ? $_POST['database_collation'] : $database_collation);
-$ph['show#AUH'] = ($installMode == 0) ? '' : 'hidden';
+$ph['show#AUH'] = ($installMode === 0) ? '' : 'hidden';
 $ph['cmsadmin'] = escapeHtmlAttribute(isset($_POST['cmsadmin']) ? $_POST['cmsadmin'] : 'admin');
 $ph['cmsadminemail'] = escapeHtmlAttribute(isset($_POST['cmsadminemail']) ? $_POST['cmsadminemail'] : '');
 $ph['cmspassword'] = escapeHtmlAttribute(isset($_POST['cmspassword']) ? $_POST['cmspassword'] : '');
diff --git a/install/src/controllers/connection/collation.php b/install/src/controllers/connection/collation.php
index 55c71ae7d2..bb6241b5c9 100644
--- a/install/src/controllers/connection/collation.php
+++ b/install/src/controllers/connection/collation.php
@@ -1,10 +1,14 @@
 <?php
-$driver = validateDbType($_POST['database_type']);
-$host = validateDbHost($_POST['host'], $driver);
-$uid = validateDbUser($_POST['uid'], $driver);
-$pwd = validateDbPassword($_POST['pwd'], $driver);
-$database_name = isset($_POST['database_name']) && $_POST['database_name'] !== '' ? validateDbName($_POST['database_name']) : '';
-
+try {
+    $driver = validateDbType($_POST['database_type']);
+    $host = validateDbHost($_POST['host'], $driver);
+    $uid = validateDbUser($_POST['uid'], $driver);
+    $pwd = validateDbPassword($_POST['pwd'], $driver);
+    $database_name = isset($_POST['database_name']) && $_POST['database_name'] !== ''
+        ? validateDbName($_POST['database_name']) : '';
+} catch (Throwable $e) {
+    echo '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+}
 try {
     $dsn = $driver . ':host=' . $host;
     $output = '<select id="database_collation" name="database_collation">';
diff --git a/install/src/controllers/connection/databasetest.php b/install/src/controllers/connection/databasetest.php
index 8d190fcfd9..371ba4cc75 100644
--- a/install/src/controllers/connection/databasetest.php
+++ b/install/src/controllers/connection/databasetest.php
@@ -101,6 +101,9 @@
         echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
         exit();
     }
+} catch (Throwable $e) {
+    echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+    exit();
 }
 
 try {
@@ -143,8 +146,7 @@
 
     echo $output . '<span id="database_pass"> ' . $_lang['status_passed'] . '</span>';
     exit();
-} catch (PDOException $e) {
+} catch (Throwable $e) {
     echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+    exit();
 }
-
-echo $output;
diff --git a/install/src/controllers/connection/servertest.php b/install/src/controllers/connection/servertest.php
index 2e65c22859..c0b6243500 100644
--- a/install/src/controllers/connection/servertest.php
+++ b/install/src/controllers/connection/servertest.php
@@ -1,8 +1,12 @@
 <?php
-$method = validateDbType($_POST['database_type']);
-$host = validateDbHost($_POST['host'], $method);
-$uid = validateDbUser($_POST['uid'], $method);
-$pwd = validateDbPassword($_POST['pwd'], $method);
+try {
+    $method = validateDbType($_POST['database_type']);
+    $host = validateDbHost($_POST['host'], $method);
+    $uid = validateDbUser($_POST['uid'], $method);
+    $pwd = validateDbPassword($_POST['pwd'], $method);
+} catch (Throwable $e) {
+    exit('<span id="server_fail"> ' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>');
+}
 
 $output = $_lang['status_connecting'];
 try {
@@ -12,7 +16,7 @@
         $dbh = new PDO($method . ':host=' . $host . ($method === 'pgsql' ? ';dbname=postgres' : ''), $uid, $pwd);
     }
     $output .= '<span id="server_pass"> ' . $_lang['status_passed_server'] . '</span>';
-} catch (PDOException $e) {
+} catch (Throwable $e) {
     $output .= '<span id="server_fail"> ' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
 }
 echo $output;
diff --git a/install/src/controllers/install.php b/install/src/controllers/install.php
index 19b00c9727..1065e5ca65 100644
--- a/install/src/controllers/install.php
+++ b/install/src/controllers/install.php
@@ -1,4 +1,5 @@
 <?php
+// step 5
 use EvolutionCMS\Facades\Console;
 
 ini_set('display_errors', 1);
@@ -74,10 +75,11 @@
 
 global $conn;
 try {
+    $pdoOptions = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION];
     if ($database_type === 'sqlite') {
         $dbh = new PDO('sqlite:' . sqliteDbNameToPath($database_name));
     } else {
-        $dbh = new PDO($database_type . ':host=' . $database_server . ';dbname=' . $database_name, $database_user, $database_password);
+        $dbh = new PDO($database_type . ':host=' . $database_server . ';dbname=' . $database_name, $database_user, $database_password, $pdoOptions);
     }
 
     include dirname(__DIR__) . '/processor/result.php';
diff --git a/install/src/controllers/language.php b/install/src/controllers/language.php
index 761be96559..7b020f4a7e 100644
--- a/install/src/controllers/language.php
+++ b/install/src/controllers/language.php
@@ -1,4 +1,5 @@
 <?php
+// step 1
 $content = file_get_contents(dirname(__DIR__) . '/template/actions/language.tpl');
 $content = parse($content, array_merge(ph(), ['langOptions' => getLangOptions($install_language)]));
 $content = parse($content, $_lang,'[%','%]');
diff --git a/install/src/controllers/mode.php b/install/src/controllers/mode.php
index 7013b7f4c9..a3fd7ee078 100644
--- a/install/src/controllers/mode.php
+++ b/install/src/controllers/mode.php
@@ -1,4 +1,5 @@
 <?php
+// step 2 part 1
 // Determine upgradeability
 $isConnectable = false;
 $installMode = isset($_POST['installmode']) ? (int)$_POST['installmode'] : 0;
@@ -11,8 +12,12 @@
     if (isset($db_config['database'])) {
         try {
             $pdoOptions = [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION];
-            $dbh = new PDO($db_config['driver'] . ':host=' . $db_config['host'] . ';dbname='
-                . $db_config['database'], $db_config['username'], $db_config['password'], $pdoOptions);
+            if ($db_config['driver'] === 'sqlite') {
+                $dbh = new PDO('sqlite:' . $db_config['database']);
+            } else {
+                $dbh = new PDO($db_config['driver'] . ':host=' . $db_config['host'] . ';dbname='
+                    . $db_config['database'], $db_config['username'], $db_config['password'], $pdoOptions);
+            }
             $isConnectable = true;
         } catch (PDOException $e) {
             $isConnectable = false;
diff --git a/install/src/controllers/options.php b/install/src/controllers/options.php
index 5860f26c41..3d24c1dd45 100644
--- a/install/src/controllers/options.php
+++ b/install/src/controllers/options.php
@@ -1,4 +1,5 @@
 <?php
+// step 3
 const DB_CONNECTION_CONFIG_FILE = EVO_CORE_PATH . 'config/database/connections/default.php';
 $installMode = isset($_POST['installmode']) ? (int)$_POST['installmode'] : (is_readable(DB_CONNECTION_CONFIG_FILE) ? 1 : 0);
 
diff --git a/install/src/controllers/summary.php b/install/src/controllers/summary.php
index a7e5e2a503..c6a0481c0e 100644
--- a/install/src/controllers/summary.php
+++ b/install/src/controllers/summary.php
@@ -1,4 +1,5 @@
 <?php
+// step 4
 if (!function_exists('f_owc')) {
     /**
      * @param $path
diff --git a/install/src/functions.php b/install/src/functions.php
index 25a775a6ed..55ea096cdc 100644
--- a/install/src/functions.php
+++ b/install/src/functions.php
@@ -259,13 +259,19 @@ function validateLangCode($langCode)
  */
 function ph()
 {
-    global $_lang, $moduleName, $moduleVersion, $evo_textdir, $evo_release_date;
+    global $_lang, $base_path, $moduleVersion, $evo_textdir, $evo_release_date;
     $ph = [];
 
     if (isset($_SESSION['installmode'])) {
         $installmode = $_SESSION['installmode'];
     } else {
-        $installmode = get_installmode();
+        $installmode = isset($_POST['installmode']) ? (int)$_POST['installmode'] : 0;
+        if (file_exists("{$base_path}manager/includes/config.inc.php")) { ?>
+            Backup and delete the file `manager/includes/config.inc.php` then <a href="<?= htmlspecialchars($_SERVER['REQUEST_URI'],
+                ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ?>">reload the page</a>
+            <?php exit();
+        }
+        // @deprecated get_installmode(); wants config.inc.php
     }
 
     $ph['pagetitle'] = $_lang['modx_install'];
@@ -282,6 +288,7 @@ function ph()
 }
 
 /**
+ * @deprecated config.inc.php was split to Laravel configs
  * @return int
  */
 function get_installmode()
diff --git a/manager/actions/files.dynamic.php b/manager/actions/files.dynamic.php
index 9f2170fd50..9e8ffff321 100755
--- a/manager/actions/files.dynamic.php
+++ b/manager/actions/files.dynamic.php
@@ -7,67 +7,57 @@
 }
 $token_check = checkToken();
 $newToken = makeToken();
-
 // settings
 $theme_image_path = MODX_MANAGER_URL . 'media/style/' . evo()->getConfig('manager_theme') . '/images/';
 $excludes = [
-        '.',
-        '..',
-        '.svn',
-        '.git',
-        '.idea'
+    '.',
+    '..',
+    '.svn',
+    '.git',
+    '.idea'
 ];
 $alias_suffix = (!empty($friendly_url_suffix)) ? ',' . ltrim($friendly_url_suffix, '.') : '';
 $editablefiles = explode(',', 'txt,php,tpl,less,sass,scss,shtml,html,htm,xml,js,css,pageCache,htaccess,json,ini' . $alias_suffix);
 $inlineviewablefiles = explode(',', 'txt,php,tpl,less,sass,scss,html,htm,xml,js,css,pageCache,htaccess,json,ini' . $alias_suffix);
 $viewablefiles = explode(',', 'jpg,gif,png,ico');
-
 $editablefiles = add_dot($editablefiles);
 $inlineviewablefiles = add_dot($inlineviewablefiles);
 $viewablefiles = add_dot($viewablefiles);
-
 $protected_path = [];
-/* jp only
-if($_SESSION['mgrRole']!=1)
-{
-*/
-$protected_path[] = MODX_MANAGER_PATH;
-$protected_path[] = MODX_BASE_PATH . 'temp/backup';
-$protected_path[] = MODX_BASE_PATH . 'assets/backup';
-
+/* jp only if($_SESSION['mgrRole']!=1) { */
+$protected_path[] = str_replace('\\', '/', MODX_MANAGER_PATH);
+$protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'temp/backup');
+$protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/backup');
 if (!evo()->hasPermission('save_plugin')) {
-    $protected_path[] = MODX_BASE_PATH . 'assets/plugins';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/plugins');
 }
 if (!evo()->hasPermission('save_snippet')) {
-    $protected_path[] = MODX_BASE_PATH . 'assets/snippets';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/snippets');
 }
 if (!evo()->hasPermission('save_template')) {
-    $protected_path[] = MODX_BASE_PATH . 'assets/templates';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/templates');
 }
 if (!evo()->hasPermission('save_module')) {
-    $protected_path[] = MODX_BASE_PATH . 'assets/modules';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/modules');
 }
 if (!evo()->hasPermission('empty_cache')) {
-    $protected_path[] = MODX_BASE_PATH . 'assets/cache';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/cache');
 }
 if (!evo()->hasPermission('import_static')) {
-    $protected_path[] = MODX_BASE_PATH . 'temp/import';
-    $protected_path[] = MODX_BASE_PATH . 'assets/import';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'temp/import');
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/import');
 }
 if (!evo()->hasPermission('export_static')) {
-    $protected_path[] = MODX_BASE_PATH . 'temp/export';
-    $protected_path[] = MODX_BASE_PATH . 'assets/export';
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'temp/export');
+    $protected_path[] = str_replace('\\', '/', MODX_BASE_PATH . 'assets/export');
 }
-/*
-}
-*/
-
+/* } */
 // Mod added by Raymond
 $enablefileunzip = true;
 $enablefiledownload = true;
 $newfolderaccessmode = octdec(evo()->getConfig('new_folder_permissions', '0777'));
 $new_file_permissions = octdec(evo()->getConfig('new_file_permissions', '0666'));
-// End Mod -  by Raymond
+// End Mod - by Raymond
 // make arrays from the file upload settings
 $upload_files = explode(',', evo()->getConfig('upload_files', ''));
 $upload_images = explode(',', evo()->getConfig('upload_images', ''));
@@ -76,40 +66,34 @@
 $uploadablefiles = array_merge($upload_files, $upload_images, $upload_media);
 $uploadablefiles = add_dot($uploadablefiles);
 $upload_maxsize = evo()->getConfig('upload_maxsize');
-$filemanager_path = evo()->getConfig('filemanager_path', MODX_BASE_PATH);
-
+$filemanager_path = rtrim(str_replace('\\', '/', realpath(evo()->getConfig('filemanager_path', MODX_BASE_PATH))), '/');
+$base_path = rtrim(str_replace('\\', '/', realpath(MODX_BASE_PATH)), '/');
 // end settings
-
 // get the current work directory
-if (isset($_REQUEST['path']) && !empty($_REQUEST['path'])) {
-    $_REQUEST['path'] = str_replace('..', '', $_REQUEST['path']);
-    $startpath = is_dir($_REQUEST['path']) ? $_REQUEST['path'] : removeLastPath($_REQUEST['path']);
+$requested_path = ltrim(isset($_REQUEST['path']) ? $_REQUEST['path'] : '', '/');
+$fullpath = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_path));
+$selFile = '';
+if (is_file($fullpath)) {
+    $selFile = $requested_path;
+    $startpath = rtrim(str_replace('\\', '/', realpath(dirname($fullpath))), '/');
+} elseif (is_dir($fullpath)) {
+    $startpath = $fullpath;
 } else {
     $startpath = $filemanager_path;
 }
-$startpath = rtrim($startpath, '/');
-
-if (!is_readable($startpath)) {
-    evo()->webAlertAndQuit($_lang["not_readable_dir"]);
+if ($startpath === false || strpos($startpath, $filemanager_path) !== 0 || !is_readable($startpath)) {
+    evo()->webAlertAndQuit($_lang["files_access_denied"]);
 }
-
 // Raymond: get web start path for showing pictures
-$rf = realpath($filemanager_path);
-$rw = realpath('../');
-$webstart_path = str_replace('\\', '/', str_replace($rw, '', $rf));
-if (substr($webstart_path, 0, 1) == '/') {
-    $webstart_path = '..' . $webstart_path;
-} else {
-    $webstart_path = '../' . $webstart_path;
-} ?>
+$relative_path = ltrim(substr($startpath, strlen($filemanager_path)), '/');
+?>
     <script type="text/javascript">
-        var current_path = '<?= $startpath;?>';
+        var current_path = '<?= addslashes($relative_path) ?>';
         function viewfile(url) {
             var el = document.getElementById('imageviewer');
             el.innerHTML = '<img src="' + url + '" />';
             el.style.display = 'block'
         }
-
         function setColor(o, state) {
             if (!o){return;}
             if (state && o.style) {
@@ -118,11 +102,9 @@ function setColor(o, state) {
                 o.style.backgroundColor = 'transparent';
             }
         }
-
         function confirmDelete() {
             return confirm("<?= $_lang['confirm_delete_file'] ?>");
         }
-
         function confirmDeleteFolder(status) {
             if (status !== 'file_exists') {
                 return confirm("<?= $_lang['confirm_delete_dir'] ?>");
@@ -130,70 +112,59 @@ function confirmDeleteFolder(status) {
                 return confirm("<?= $_lang['confirm_delete_dir_recursive'] ?>");
             }
         }
-
         function confirmUnzip() {
             return confirm("<?= $_lang['confirm_unzip_file'] ?>");
         }
-
         function unzipFile(file) {
             if (confirmUnzip()) {
-                window.location.href = "index.php?a=31&mode=unzip&path=" + current_path + '/&file=' + file + "&token=<?= $newToken;?>";
+                window.location.href = "index.php?a=31&mode=unzip&path=" + current_path + '&file=' + file + "&token=<?= $newToken;?>";
                 return false;
             }
         }
-
         function getFolderName(a) {
             var f = window.prompt("<?= $_lang['files_dynamic_new_file_name'] ?>", '');
             if (f) a.href += encodeURI(f);
             return !!(f);
         }
-
         function getFileName(a) {
             var f = window.prompt("<?= $_lang['files_dynamic_new_file_name'] ?>", '');
             if (f) a.href += encodeURI(f);
             return !!(f);
         }
-
         function deleteFolder(folder, status) {
             if (confirmDeleteFolder(status)) {
-                window.location.href = "index.php?a=31&mode=deletefolder&path=" + current_path + "&folderpath=" + current_path + '/' + folder + "&token=<?= $newToken;?>";
+                window.location.href = "index.php?a=31&mode=deletefolder&path=" + current_path + "&folderpath=" + (current_path ? current_path + '/' : '') + folder + "&token=<?= $newToken;?>";
                 return false;
             }
         }
-
         function deleteFile(file) {
             if (confirmDelete()) {
-                window.location.href = "index.php?a=31&mode=delete&path=" + current_path + '/' + file + "&token=<?= $newToken;?>";
+                window.location.href = "index.php?a=31&mode=delete&path=" + (current_path ? current_path + '/' : '') + file + "&token=<?= $newToken;?>";
                 return false;
             }
         }
-
         function duplicateFile(file) {
             var newFilename = prompt("<?= $_lang["files_dynamic_new_file_name"] ?>", file);
             if (newFilename !== null && newFilename !== file) {
-                window.location.href = "index.php?a=31&mode=duplicate&path=" + current_path + '/' + file + "&newFilename=" + newFilename + "&token=<?= $newToken;?>";
+                window.location.href = "index.php?a=31&mode=duplicate&path=" + (current_path ? current_path + '/' : '') + file + "&newFilename=" + newFilename + "&token=<?= $newToken;?>";
             }
         }
-
         function renameFolder(dir) {
             var newDirname = prompt("<?= $_lang["files_dynamic_new_folder_name"] ?>", dir);
             if (newDirname !== null && newDirname !== dir) {
                 window.location.href = "index.php?a=31&mode=renameFolder&path=" + current_path + '&dirname=' + dir + "&newDirname=" + newDirname + "&token=<?= $newToken;?>";
             }
         }
-
         function renameFile(file) {
             var newFilename = prompt("<?= $_lang["files_dynamic_new_file_name"] ?>", file);
             if (newFilename !== null && newFilename !== file) {
-                window.location.href = "index.php?a=31&mode=renameFile&path=" + current_path + '/' + file + "&newFilename=" + newFilename + "&token=<?= $newToken;?>";
+                window.location.href = "index.php?a=31&mode=renameFile&path=" + (current_path ? current_path + '/' : '') + file + "&newFilename=" + newFilename + "&token=<?= $newToken;?>";
             }
         }
     </script>
-
     <h1>
         <i class="<?= $_style['icon_folder_open'] ?>"></i><?= $_lang['manage_files'] ?>
     </h1>
-
     <div id="actions">
         <div class="btn-group">
             <?php if (get_by_key($_POST, 'mode') == 'save' || get_by_key($_GET, 'mode') == 'edit') : ?>
@@ -213,12 +184,12 @@ function renameFile(file) {
                 $tpl = '<a class="btn btn-secondary" href="[+href+]" onclick="return getFolderName(this);"><i class="[+image+]"></i><span>[+subject+]</span></a>';
                 $ph['image'] = $_style['icon_folder_open'];
                 $ph['subject'] = $_lang['add_folder'];
-                $ph['href'] = 'index.php?a=31&mode=newfolder&path=' . urlencode($startpath) . '&name=';
+                $ph['href'] = 'index.php?a=31&mode=newfolder&path=' . urlencode($relative_path) . '&token=' . $newToken . '&name=';
                 $_ = parsePlaceholder($tpl, $ph);
 
                 $tpl = '<a class="btn btn-secondary" href="[+href+]" onclick="return getFileName(this);"><i class="[+image+]"></i><span>' . $_lang['files.dynamic.php1'] . '</span></a>';
                 $ph['image'] = $_style['icon_document'];
-                $ph['href'] = 'index.php?a=31&mode=newfile&path=' . urlencode($startpath) . '&name=';
+                $ph['href'] = 'index.php?a=31&mode=newfile&path=' . urlencode($relative_path) . '&token=' . $newToken . '&name=';
                 $_ .= parsePlaceholder($tpl, $ph);
                 echo $_;
             }
@@ -228,22 +199,32 @@ function renameFile(file) {
             </a>
         </div>
     </div>
-
     <div id="ManageFiles">
         <div class="container breadcrumbs">
             <?php
+            // Fix: Add token check for uploads
             if (!empty($_FILES['userfile'])) {
-                $information = fileupload();
+                if ($token_check) {
+                    $information = fileupload();
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
+                }
             } elseif (get_by_key($_POST, 'mode') == 'save') {
-                echo textsave();
+                if ($token_check) {
+                    echo textsave();
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
+                }
             } elseif (get_by_key($_REQUEST, 'mode') == 'delete') {
-                echo delete_file();
+                if ($token_check) {
+                    echo delete_file();
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
+                }
             }
-
             if (in_array($startpath, $protected_path)) {
                 evo()->webAlertAndQuit($_lang["files.dynamic.php2"]);
             }
-
             $tpl = '<i class="[+image+] FilesTopFolder"></i>[+subject+]';
             $ph = [];
             $ph['style_path'] = $theme_image_path;
@@ -253,16 +234,13 @@ function renameFile(file) {
                 $ph['subject'] = '<span>Top</span>';
             } else {
                 $ph['image'] = '' . $_style['icon_folder_open'] . '';
-                $ph['subject'] = '<a href="index.php?a=31&mode=drill&path=' . $filemanager_path . '">Top</a>/';
+                $ph['subject'] = '<a href="index.php?a=31&mode=drill&path=">Top</a>/';
             }
-
             echo parsePlaceholder($tpl, $ph);
-
-            $len = strlen($filemanager_path);
-            if (substr($startpath, $len, strlen($startpath)) == '') {
+            $topic_path = $relative_path;
+            if ($topic_path == '') {
                 $topic_path = '/';
             } else {
-                $topic_path = substr($startpath, $len, strlen($startpath));
                 $pieces = explode('/', rtrim($topic_path, '/'));
                 $path = '';
                 $count = count($pieces);
@@ -270,9 +248,9 @@ function renameFile(file) {
                     if (empty($v)) {
                         continue;
                     }
-                    $path .= rtrim($v, '/') . '/';
+                    $path .= $v . '/';
                     if (1 < $count) {
-                        $href = 'index.php?a=31&mode=drill&path=' . urlencode($filemanager_path . $path);
+                        $href = 'index.php?a=31&mode=drill&path=' . urlencode(rtrim($path, '/'));
                         $pieces[$i] = '<a href="' . $href . '">' . trim($v, '/') . '</a>';
                     } else {
                         $pieces[$i] = '<span>' . trim($v, '/') . '</span>';
@@ -281,134 +259,205 @@ function renameFile(file) {
                 }
                 $topic_path = implode('/', $pieces);
             }
-
-            echo $topic_path; ?>
+            echo $topic_path;
+            ?>
         </div>
-        <?php // check to see user isn't trying to move below the document_root
-        if (substr(strtolower(str_replace('//', '/', $startpath . "/")), 0, $len) != strtolower(str_replace('//', '/', $filemanager_path . '/'))) {
-            evo()->webAlertAndQuit($_lang["files_access_denied"]);
+        <?php
+        // check to see user isn't trying to move below the document_root
+        // Existing check replaced with realpath check above
+
+        // Define safe unzip function
+        function safe_unzip($file, $path) {
+            $path = rtrim(str_replace('\\', '/', realpath($path)), '/\\');
+            $zip = new ZipArchive();
+            if ($zip->open($file) !== true) {
+                return false;
+            }
+            for ($i = 0; $i < $zip->numFiles; $i++) {
+                $stat = $zip->statIndex($i);
+                $filename = str_replace('\\', '/', $stat['name']);
+                if (substr($filename, 0, 1) == '/' || strpos($filename, '..') !== false || strpos($filename, ':') !== false) {
+                    continue; // skip malicious paths
+                }
+                $target = $path . '/' . $filename;
+                $target_real = rtrim(str_replace('\\', '/', realpath(dirname($target)) ?: dirname($target)), '/\\');
+                if (strpos($target_real, $path) !== 0) {
+                    continue;
+                }
+                if (substr($filename, -1) == '/') {
+                    if (!is_dir($target)) {
+                        mkdir($target, 0777, true);
+                    }
+                } else {
+                    $dirname = dirname($target);
+                    if (!is_dir($dirname)) {
+                        mkdir($dirname, 0777, true);
+                    }
+                    file_put_contents($target, $zip->getFromIndex($i));
+                }
+            }
+            $zip->close();
+            return true;
         }
 
-        // Unzip .zip files - by Raymond
+        // Unzip .zip files - by Raymond, with safe_unzip
         if ($enablefileunzip && get_by_key($_REQUEST, 'mode') == 'unzip' && is_writable($startpath)) {
-            if (!$err = unzip(realpath("{$startpath}/" . $_REQUEST['file']), realpath($startpath))) {
-                echo '<span class="warning"><b>' . $_lang['file_unzip_fail'] . ($err === 0 ? 'Missing zip library (php_zip.dll / zip.so)' : '') . '</b></span><br /><br />';
+            if ($token_check) {
+                $zipfile = str_replace('\\', '/', realpath($startpath . '/' . $_REQUEST['file']));
+                if (strpos($zipfile, $filemanager_path) !== 0) {
+                    echo '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+                } else {
+                    $success = safe_unzip($zipfile, $startpath);
+                    if (!$success) {
+                        echo '<span class="warning"><b>' . $_lang['file_unzip_fail'] . '</b></span><br /><br />';
+                    } else {
+                        echo '<span class="success"><b>' . $_lang['file_unzip'] . '</b></span><br /><br />';
+                    }
+                }
             } else {
-                echo '<span class="success"><b>' . $_lang['file_unzip'] . '</b></span><br /><br />';
+                echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
             }
         }
         // End Unzip - Raymond
-
         // New Folder & Delete Folder option - Raymond
         if (is_writable($startpath)) {
             // Delete Folder
             if (get_by_key($_REQUEST, 'mode') == 'deletefolder') {
-                $folder = $_REQUEST['folderpath'];
-                if (!$token_check || !@rrmdir($folder)) {
-                    echo '<span class="warning"><b>' . $_lang['file_folder_not_deleted'] . '</b></span><br /><br />';
+                if ($token_check) {
+                    $requested_folderpath = ltrim($_REQUEST['folderpath'] ?? '', '/');
+                    $folder = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_folderpath));
+                    if (strpos($folder, $filemanager_path) !== 0 || !is_dir($folder)) {
+                        echo '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+                    } elseif (!@rrmdir($folder)) {
+                        echo '<span class="warning"><b>' . $_lang['file_folder_not_deleted'] . '</b></span><br /><br />';
+                    } else {
+                        echo '<span class="success"><b>' . $_lang['file_folder_deleted'] . '</b></span><br /><br />';
+                    }
                 } else {
-                    echo '<span class="success"><b>' . $_lang['file_folder_deleted'] . '</b></span><br /><br />';
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
                 }
             }
-
             // Create folder here
             if (get_by_key($_REQUEST, 'mode') == 'newfolder') {
-                $old_umask = umask(0);
-                $foldername = str_replace('..\\', '', str_replace('../', '', $_REQUEST['name']));
-                if (!mkdirs("{$startpath}/{$foldername}", 0777)) {
-                    echo '<span class="warning"><b>', $_lang['file_folder_not_created'], '</b></span><br /><br />';
-                } else {
-                    if (!@chmod($startpath . '/' . $foldername, $newfolderaccessmode)) {
-                        echo '<span class="warning"><b>' . $_lang['file_folder_chmod_error'] . '</b></span><br /><br />';
+                if ($token_check) {
+                    $old_umask = umask(0);
+                    $foldername = str_replace([ '..\\', '../', '\\', '/' ], '', $_REQUEST['name']);
+                    $newdir = $startpath . '/' . $foldername;
+                    if (!mkdirs($newdir, 0777)) {
+                        echo '<span class="warning"><b>', $_lang['file_folder_not_created'], '</b></span><br /><br />';
                     } else {
-                        echo '<span class="success"><b>' . $_lang['file_folder_created'] . '</b></span><br /><br />';
+                        if (!@chmod($newdir, $newfolderaccessmode)) {
+                            echo '<span class="warning"><b>' . $_lang['file_folder_chmod_error'] . '</b></span><br /><br />';
+                        } else {
+                            echo '<span class="success"><b>' . $_lang['file_folder_created'] . '</b></span><br /><br />';
+                        }
                     }
+                    umask($old_umask);
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
                 }
-                umask($old_umask);
             }
             // Create file here
             if (get_by_key($_REQUEST, 'mode') == 'newfile') {
-                $old_umask = umask(0);
-                $filename = str_replace('..\\', '', str_replace('../', '', $_REQUEST['name']));
-
-                if (!checkExtension($filename)) {
-                    echo '<span class="warning"><b>' . $_lang['files_filetype_notok'] . '</b></span><br /><br />';
-                } elseif (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $filename) !== 0) {
-                    echo $_lang['files.dynamic.php3'];
-                } else {
-                    $rs = file_put_contents("{$startpath}/{$filename}", '');
-                    if ($rs === false) {
-                        echo '<span class="warning"><b>', $_lang['file_folder_not_created'], '</b></span><br /><br />';
+                if ($token_check) {
+                    $old_umask = umask(0);
+                    $filename = str_replace([ '..\\', '../', '\\', '/' ], '', $_REQUEST['name']);
+                    if (!checkExtension($filename)) {
+                        echo '<span class="warning"><b>' . $_lang['files_filetype_notok'] . '</b></span><br /><br />';
+                    } elseif (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $filename) !== 0) {
+                        echo $_lang['files.dynamic.php3'];
                     } else {
-                        echo $_lang['files.dynamic.php4'];
+                        $rs = file_put_contents($startpath . '/' . $filename, '');
+                        if ($rs === false) {
+                            echo '<span class="warning"><b>', $_lang['file_folder_not_created'], '</b></span><br /><br />';
+                        } else {
+                            echo $_lang['files.dynamic.php4'];
+                        }
+                        umask($old_umask);
                     }
-                    umask($old_umask);
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
                 }
             }
             // Duplicate file here
             if (get_by_key($_REQUEST, 'mode') == 'duplicate') {
-                $old_umask = umask(0);
-                $filename = $_REQUEST['path'];
-                $newFilename = str_replace('..\\', '', str_replace('../', '', $_REQUEST['newFilename']));
-
-                if (!checkExtension($newFilename)) {
-                    echo '<span class="warning"><b>' . $_lang['files_filetype_notok'] . '</b></span><br /><br />';
-                } elseif (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $newFilename) !== 0) {
-                    echo $_lang['files.dynamic.php3'];
-                } else {
-                    if (!copy($filename, MODX_BASE_PATH . $newFilename)) {
-                        echo $_lang['files.dynamic.php5'];
+                if ($token_check) {
+                    $old_umask = umask(0);
+                    $requested_file = ltrim($_REQUEST['path'] ?? '', '/');
+                    $filename = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_file));
+                    if (strpos($filename, $filemanager_path) !== 0 || !is_file($filename)) {
+                        echo '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+                    } else {
+                        $newFilename = str_replace([ '..\\', '../', '\\', '/' ], '', $_REQUEST['newFilename']);
+                        if (!checkExtension($newFilename)) {
+                            echo '<span class="warning"><b>' . $_lang['files_filetype_notok'] . '</b></span><br /><br />';
+                        } elseif (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $newFilename) !== 0) {
+                            echo $_lang['files.dynamic.php3'];
+                        } else {
+                            // Fix: Copy to same directory, not base path
+                            $newpath = dirname($filename) . '/' . $newFilename;
+                            if (!copy($filename, $newpath)) {
+                                echo $_lang['files.dynamic.php5'];
+                            }
+                            umask($old_umask);
+                        }
                     }
-                    umask($old_umask);
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
                 }
             }
             // Rename folder here
             if (get_by_key($_REQUEST, 'mode') == 'renameFolder') {
-                $old_umask = umask(0);
-                $dirname = $_REQUEST['path'] . '/' . $_REQUEST['dirname'];
-                $newDirname = str_replace([
-                        '..\\',
-                        '../',
-                        '\\',
-                        '/'
-                ], '', $_REQUEST['newDirname']);
-
-                if (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $newDirname) !== 0) {
-                    echo $_lang['files.dynamic.php3'];
-                } else if (!rename($dirname, $_REQUEST['path'] . '/' . $newDirname)) {
-                    echo '<span class="warning"><b>', $_lang['file_folder_not_created'], '</b></span><br /><br />';
+                if ($token_check) {
+                    $old_umask = umask(0);
+                    $requested_dir = ltrim($_REQUEST['path'] ?? '', '/');
+                    $dirname = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_dir . '/' . $_REQUEST['dirname']));
+                    if (strpos($dirname, $filemanager_path) !== 0 || !is_dir($dirname)) {
+                        echo '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+                    } else {
+                        $newDirname = str_replace([ '..\\', '../', '\\', '/' ], '', $_REQUEST['newDirname']);
+                        if (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $newDirname) !== 0) {
+                            echo $_lang['files.dynamic.php3'];
+                        } else if (!rename($dirname, dirname($dirname) . '/' . $newDirname)) {
+                            echo '<span class="warning"><b>', $_lang['file_folder_not_created'], '</b></span><br /><br />';
+                        }
+                        umask($old_umask);
+                    }
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
                 }
-                umask($old_umask);
             }
             // Rename file here
             if (get_by_key($_REQUEST, 'mode') == 'renameFile') {
-                $old_umask = umask(0);
-                $path = dirname($_REQUEST['path']);
-                $filename = $_REQUEST['path'];
-                $newFilename = str_replace([
-                        '..\\',
-                        '../',
-                        '\\',
-                        '/'
-                ], '', $_REQUEST['newFilename']);
-
-                if (!checkExtension($newFilename)) {
-                    echo '<span class="warning"><b>' . $_lang['files_filetype_notok'] . '</b></span><br /><br />';
-                } elseif (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $newFilename) !== 0) {
-                    echo $_lang['files.dynamic.php3'];
-                } else {
-                    if (!rename($filename, $path . '/' . $newFilename)) {
-                        echo $_lang['files.dynamic.php5'];
+                if ($token_check) {
+                    $old_umask = umask(0);
+                    $requested_file = ltrim($_REQUEST['path'] ?? '', '/');
+                    $filename = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_file));
+                    if (strpos($filename, $filemanager_path) !== 0 || !is_file($filename)) {
+                        echo '<span class="warning"><b>Invalid path.</b></span><br /><br />';
+                    } else {
+                        $path = dirname($filename);
+                        $newFilename = str_replace([ '..\\', '../', '\\', '/' ], '', $_REQUEST['newFilename']);
+                        if (!checkExtension($newFilename)) {
+                            echo '<span class="warning"><b>' . $_lang['files_filetype_notok'] . '</b></span><br /><br />';
+                        } elseif (preg_match('@(\\\\|\/|\:|\;|\,|\*|\?|\"|\<|\>|\||\?)@', $newFilename) !== 0) {
+                            echo $_lang['files.dynamic.php3'];
+                        } else {
+                            if (!rename($filename, $path . '/' . $newFilename)) {
+                                echo $_lang['files.dynamic.php5'];
+                            }
+                            umask($old_umask);
+                        }
                     }
-                    umask($old_umask);
+                } else {
+                    echo '<span class="warning"><b>Invalid token</b></span><br /><br />';
                 }
             }
-        }
-        // End New Folder - Raymond
-
+        } // End New Folder - Raymond
         if (strlen(MODX_BASE_PATH) < strlen($filemanager_path)) {
             $len--;
-        } ?>
+        }
+        ?>
         <script type="text/javascript" src="media/script/tablesort.js"></script>
         <div class="table-responsive">
             <table id="FilesTable" class="table data">
@@ -420,63 +469,49 @@ function renameFile(file) {
                     <th class="sortable" style="width: 1%;" class="text-nowrap"><?= $_lang['files_fileoptions'] ?></th>
                 </tr>
                 </thead>
-                <?php
-                extract(ls($startpath, compact('len', 'webstart_path', 'editablefiles', 'enablefileunzip', 'inlineviewablefiles', 'uploadablefiles', 'enablefiledownload', 'viewablefiles', 'protected_path', 'excludes')), EXTR_OVERWRITE);
+                <?php extract(ls($startpath, compact('len', 'editablefiles', 'enablefileunzip', 'inlineviewablefiles', 'uploadablefiles', 'enablefiledownload', 'viewablefiles', 'protected_path', 'excludes', 'filemanager_path', 'base_path')), EXTR_OVERWRITE);
                 echo "\n\n\n";
-                if ($folders == 0 && $files == 0) {
-                    echo '<tr><td colspan="4"><i class="' . $_style['icon_folder'] . ' FilesDeletedFolder"></i> <span style="color:#888;cursor:default;"> ' . $_lang['files_directory_is_empty'] . ' </span></td></tr>';
-                }
+                if ($folders == 0 && $files == 0) { echo '<tr><td colspan="4"><i class="' . $_style['icon_folder'] . ' FilesDeletedFolder"></i> <span style="color:#888;cursor:default;"> ' . $_lang['files_directory_is_empty'] . ' </span></td></tr>'; }
                 ?>
             </table>
         </div>
-
         <div class="container">
             <p>
-                <?php
-                echo $_lang['files_directories'] . ': <b>' . $folders . '</b> ';
+                <?php echo $_lang['files_directories'] . ': <b>' . $folders . '</b> ';
                 echo $_lang['files_files'] . ': <b>' . $files . '</b> ';
                 echo $_lang['files_data'] . ': <b><span dir="ltr">' . niceSize($filesizes) . '</span></b> ';
-                echo $_lang['files_dirwritable'] . ' <b>' . (is_writable($startpath) == 1 ? $_lang['yes'] . '.' : $_lang['no']) . '.</b>'
+                echo $_lang['files_dirwritable'] . ' <b>' . (is_writable($startpath) == 1 ? $_lang['yes'] : $_lang['no']) . '.</b>'
                 ?>
             </p>
-
-            <?php
-            if (((@ini_get("file_uploads") == true) || get_cfg_var("file_uploads") == 1) && is_writable($startpath)) {
-                @ini_set("upload_max_filesize", $upload_maxsize ?? 0); // modified by raymond
-                ?>
-
+            <?php if (((@ini_get("file_uploads") == true) || get_cfg_var("file_uploads") == 1) && is_writable($startpath)) {
+                @ini_set("upload_max_filesize", $upload_maxsize ?? 0); // modified by raymond ?>
                 <form name="upload" enctype="multipart/form-data" action="index.php" method="post">
                     <input type="hidden" name="MAX_FILE_SIZE" value="<?= $upload_maxsize ?? 5000000 ?>">
                     <input type="hidden" name="a" value="31">
-                    <input type="hidden" name="path" value="<?= $startpath ?>">
-
-                    <?php if (isset($information)) {
-                        echo $information;
-                    } ?>
-
+                    <input type="hidden" name="path" value="<?= $relative_path ?>">
+                    <!-- Fix: Add token to upload form -->
+                    <input type="hidden" name="token" value="<?= $newToken ?>">
+                    <?php if (isset($information)) { echo $information; } ?>
                     <div id="uploader">
                         <input type="file" name="userfile[]" onchange="document.upload.submit();" multiple>
                         <a class="btn btn-secondary" href="javascript:;" onclick="document.upload.submit()"><?= $_lang['files_uploadfile'] ?></a>
                     </div>
                 </form>
-                <?php
-            } else {
+            <?php } else {
                 echo "<p>" . $_lang['files_upload_inhibited_msg'] . "</p>";
-            }
-            ?>
+            } ?>
             <div id="imageviewer"></div>
         </div>
-
     </div>
-<?php
-
-if (get_by_key($_REQUEST, 'mode') == "edit" || get_by_key($_REQUEST, 'mode') == "view") {
-    ?>
-
+<?php if (get_by_key($_REQUEST, 'mode') == "edit" || get_by_key($_REQUEST, 'mode') == "view") { ?>
     <div class="section" id="file_editfile">
         <div class="navbar navbar-editor"><?= $_REQUEST['mode'] == "edit" ? $_lang['files_editfile'] : $_lang['files_viewfile'] ?></div>
         <?php
-        $filename = $_REQUEST['path'];
+        $requested_path = ltrim($_REQUEST['path'] ?? '', '/');
+        $filename = str_replace('\\', '/', realpath($filemanager_path . '/' . $requested_path));
+        if (strpos($filename, $filemanager_path) !== 0 || !is_file($filename)) {
+            evo()->webAlertAndQuit("Invalid path.");
+        }
         $buffer = file_get_contents($filename);
         // Log the change
         logFileChange('view', $filename);
@@ -487,7 +522,8 @@ function renameFile(file) {
         <form action="index.php" method="post" name="editFile">
             <input type="hidden" name="a" value="31" />
             <input type="hidden" name="mode" value="save" />
-            <input type="hidden" name="path" value="<?= $_REQUEST['path'] ?>" />
+            <input type="hidden" name="path" value="<?= $requested_path ?>" />
+            <input type="hidden" name="token" value="<?= $newToken ?>" />
             <table width="100%" border="0" cellspacing="0" cellpadding="0">
                 <tr>
                     <td>
@@ -516,15 +552,12 @@ function renameFile(file) {
             $contentType = 'htmlmixed';
     };
     $evtOut = evo()->invokeEvent('OnRichTextEditorInit', [
-            'editor' => 'Codemirror',
-            'elements' => [
-                    'content',
-            ],
-            'contentType' => $contentType,
-            'readOnly' => $_REQUEST['mode'] == 'edit' ? false : true
+        'editor' => 'Codemirror',
+        'elements' => ['content'],
+        'contentType' => $contentType,
+        'readOnly' => $_REQUEST['mode'] !== 'edit'
     ]);
     if (is_array($evtOut)) {
         echo implode('', $evtOut);
     }
 }
-