Sanitized user-provided file names in HTTP multipart uploads

src/main/java/stirling/software/SPDF/controller/api/misc/OCRController.java

@@ -1,6 +1,7 @@
 package stirling.software.SPDF.controller.api.misc;
 
 import io.github.pixee.security.BoundedLineReader;
+import io.github.pixee.security.Filenames;
 import java.awt.image.BufferedImage;
 import java.io.BufferedReader;
 import java.io.File;
@@ -175,7 +176,7 @@ public class OCRController {
             // Read the final PDF file
             byte[] pdfContent = Files.readAllBytes(finalOutputFile);
             String outputFilename =
-                    inputFile.getOriginalFilename().replaceFirst("[.][^.]+$", "") + "_OCR.pdf";
+                    Filenames.toSimpleFileName(inputFile.getOriginalFilename()).replaceFirst("[.][^.]+$", "") + "_OCR.pdf";
 
             return ResponseEntity.ok()
                     .header(