Thanks for the quick reply asmecher,
Unfortunately, the fact that the tilde character (~) can still appear in the URL even after having passed through the cleanFileVar function, prompts a fail response from our campus-wide PCI compliance scan.
Since this is a campus-wide scan, we have to address this issue and come in to compliance even though it is safe behavior in this case.
The specific vulnerability mentioned in the scan is "Backup Files Disclosure"; info here: http://projects.webappsec.org/Predictab ... e-Location
Is there a way to actually strip the character completely out of the URL?
University of Arizona Libraries