From 583acad59213faa8e941accd4606624afba95342 Mon Sep 17 00:00:00 2001
From: Lea Anthony <lea.anthony@gmail.com>
Date: Sat, 7 Feb 2026 18:50:43 +1100
Subject: [PATCH] Potential fix for code scanning alert no. 174: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 v3/examples/screen/main.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/v3/examples/screen/main.go b/v3/examples/screen/main.go
index 1a18785da..900bb25f9 100644
--- a/v3/examples/screen/main.go
+++ b/v3/examples/screen/main.go
@@ -57,8 +57,20 @@ func main() {
 
 					// Clean the requested URL path and make it relative, to prevent directory traversal
 					cleanPath := filepath.Clean(r.URL.Path)
-					// Treat the request path as relative by stripping any leading forward slash (HTTP paths always use "/").
-					relativePath := strings.TrimPrefix(cleanPath, "/")
+
+					// Normalize to use forward slashes for leading-separator handling.
+					normalized := strings.ReplaceAll(cleanPath, "\\", "/")
+
+					// Strip all leading slashes so the path is always treated as relative.
+					normalized = strings.TrimLeft(normalized, "/")
+
+					// On Windows, also reject drive-letter or UNC-style absolute paths outright.
+					if strings.HasPrefix(normalized, ":") || strings.HasPrefix(normalized, "\\") {
+						next.ServeHTTP(w, r)
+						return
+					}
+
+					relativePath := normalized
 
 					// Resolve the requested path against the absolute assets directory.
 					resolvedPath, err := filepath.Abs(filepath.Join(assetsDirAbs, relativePath))