glennblock/gist:1283076

## gistfile1.js
exports.filepath = function (webroot, url) {
  var pathSep=process.platform ==='win32' ? '\\' : '/';
  // Unescape URL to prevent security holes
  url = decodeURIComponent(url);
  // Append index.html if path ends with '/'
  fp = path.normalize(path.join(webroot, (url.match(/\/$/)=='/')  ? url+'index.html' : url));
  // Sanitize input, make sure people can't use .. to get above webroot
  if (webroot[webroot.length - 1] !== pathSep) webroot += pathSep;
  if (fp.substr(0, webroot.length) != webroot)
     return(['Permission Denied', null]);
  else
     return([null, fp.replace('/',pathSep)]);
};
	exports.filepath = function (webroot, url) {
	var pathSep=process.platform ==='win32' ? '\\' : '/';
	// Unescape URL to prevent security holes
	url = decodeURIComponent(url);
	// Append index.html if path ends with '/'
	fp = path.normalize(path.join(webroot, (url.match(/\/$/)=='/') ? url+'index.html' : url));
	// Sanitize input, make sure people can't use .. to get above webroot
	if (webroot[webroot.length - 1] !== pathSep) webroot += pathSep;
	if (fp.substr(0, webroot.length) != webroot)
	return(['Permission Denied', null]);
	else
	return([null, fp.replace('/',pathSep)]);
	};