diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index e420eec92..f7b990652 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2850,6 +2850,27 @@ lws_json_purify(char *escaped, const char *string, int len)
 	return escaped;
 }
 
+LWS_VISIBLE LWS_EXTERN void
+lws_filename_purify_inplace(char *filename)
+{
+	while (*filename) {
+
+		if (*filename == '.' && filename[1] == '.') {
+			*filename = '_';
+			filename[1] = '_';
+		}
+
+		if (*filename == ':' ||
+		    *filename == '/' ||
+		    *filename == '\\' ||
+		    *filename == '$' ||
+		    *filename == '%')
+			*filename = '_';
+
+		filename++;
+	}
+}
+
 LWS_VISIBLE LWS_EXTERN const char *
 lws_urlencode(char *escaped, const char *string, int len)
 {
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index befbe1504..a488a157e 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -4426,6 +4426,17 @@ lws_sql_purify(char *escaped, const char *string, int len);
 LWS_VISIBLE LWS_EXTERN const char *
 lws_json_purify(char *escaped, const char *string, int len);
 
+/**
+ * lws_filename_purify_inplace() - replace scary filename chars with underscore
+ *
+ * \param filename: filename to be purified
+ *
+ * Replace scary characters in the filename (it should not be a path)
+ * with underscore, so it's safe to use.
+ */
+LWS_VISIBLE LWS_EXTERN void
+lws_filename_purify_inplace(char *filename);
+
 LWS_VISIBLE LWS_EXTERN int
 lws_plat_write_cert(struct lws_vhost *vhost, int is_key, int fd, void *buf,
 			int len);