diff --git a/packages/backend/src/util/pathutil.js b/packages/backend/src/util/pathutil.js
index 9069dc66..928db0bd 100644
--- a/packages/backend/src/util/pathutil.js
+++ b/packages/backend/src/util/pathutil.js
@@ -32,17 +32,18 @@ class PathBuilder extends AdvancedBase {
     }
     
     add (fragment, options) {
+        const require = this.require;
+        const node_path = require('path');
+
         options = options || {};
         if ( ! options.allow_traversal ) {
-            fragment = fragment.replace(/(\.\.\/|\.\.\\)/g, '');
+            fragment = node_path.normalize(fragment);
+            fragment = fragment.replace(/(\.+\/|\.+\\)/g, '');
             if ( fragment === '..' ) {
                 fragment = '';
             }
         }
 
-        const require = this.require;
-        const node_path = require('path');
-
         this.path_ = this.path_
             ? node_path.join(this.path_, fragment)
             : fragment;
diff --git a/src/IPC.js b/src/IPC.js
index 9f87909d..a04cba01 100644
--- a/src/IPC.js
+++ b/src/IPC.js
@@ -1016,7 +1016,8 @@ window.addEventListener('message', async (event) => {
         let create_missing_ancestors = false;
 
         console.warn(`The method ${event.data.msg} is deprecated - see docs.puter.com for more information.`);
-        event.data.filename = event.data.filename.replace(/(\.\.\/|\.\.\\)/g, '');
+        event.data.filename = path.normalize(event.data.filename)
+            .replace(/(\.+\/|\.+\\)/g, '');
 
         if(event.data.msg === 'saveToPictures')
             target_path = path.join(window.pictures_path, event.data.filename);