use set comparison to protect against insecure path elements; don't disallow items that start with dot; don't url-quote each path element