diff --git a/src/admin/dialog/select_soft_post.php b/src/admin/dialog/select_soft_post.php
index 03847012..07e04ed2 100644
--- a/src/admin/dialog/select_soft_post.php
+++ b/src/admin/dialog/select_soft_post.php
@@ -58,6 +58,10 @@ if (!empty($newname)) {
     }
     $filename = $filename.'.'.$fs[count($fs) - 1];
 }
+if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) {
+    ShowMsg("你指定的文件名被系统禁止",'javascript:;');
+    exit();
+}
 $fullfilename = $cfg_basedir.$activepath.'/'.$filename;
 $fullfileurl = $activepath.'/'.$filename;
 $mime = get_mime_type($uploadfile);
diff --git a/src/admin/media_add.php b/src/admin/media_add.php
index c1d48b31..469d410b 100644
--- a/src/admin/media_add.php
+++ b/src/admin/media_add.php
@@ -52,10 +52,9 @@ if ($dopost == "upload") {
                 MkdirAll($cfg_basedir.$savePath, 777);
                 CloseFtp();
             }
-			//后台文件任意上传漏洞：早期版本后台存在大量的富文本修改器，该控件提供了一些文件上传接口，同时对上传文件的后缀类型未进行严格的限制，这导致了黑客可以上传WEBSHELL，获取网站后台权限
-            if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$#i', trim($filename))) {
-                ShowMsg("您指定的文件名被系统禁止", "javascript:;");
-                exit();
+            if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { 
+                ShowMsg("你指定的文件名被系统禁止！",'javascript:;'); 
+                exit(); 
             }
             $fullfilename = $cfg_basedir.$filename;
             $mime = get_mime_type(${"upfile".$i});
diff --git a/src/admin/soft_add.php b/src/admin/soft_add.php
index 8b5a0a19..4ac17117 100644
--- a/src/admin/soft_add.php
+++ b/src/admin/soft_add.php
@@ -155,7 +155,7 @@ else if ($dopost == 'save') {
     $softurl1 = stripslashes($softurl1);
     $nsoftsize = '';
     if ($softurl1 != '') {
-        $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
+        if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
         $autosize = empty($autosize) ? FALSE : TRUE;
         if ($autosize && empty($softsize)) {
             $nsoftsize = @filesize($cfg_basedir.$softurl1);
diff --git a/src/apps/search.php b/src/apps/search.php
index c7d97ea0..98c7247a 100755
--- a/src/apps/search.php
+++ b/src/apps/search.php
@@ -53,7 +53,8 @@ if (empty($typeid)) {
         }
     }
 }
-$keyword = addslashes(cn_substr($keyword, 30));
+$typeid = intval($typeid);
+$keyword = addslashes(cn_substr($keyword,30));
 $typeid = intval($typeid);
 if ($cfg_notallowstr != '' && preg_match("#".$cfg_notallowstr."#i", $keyword)) {
     ShowMsg("您的搜索关键词中存在非法文档，被系统禁止", "-1");
diff --git a/src/system/filter.inc.php b/src/system/filter.inc.php
index 884ae31a..51f24851 100755
--- a/src/system/filter.inc.php
+++ b/src/system/filter.inc.php
@@ -33,7 +33,7 @@ function _FilterAll($fk, &$svar)
             $svar = preg_replace('/'.$cfg_replacestr.'/i', "***", $svar);
         }
     }
-    return $svar;
+    return addslashes($svar);
 }
 /* 对_GET,_POST,_COOKIE进行过滤 */
 foreach (array('_GET', '_POST', '_COOKIE') as $_request) {