We have been asked to restrict filenames for uploaded files in the file manager to files containing only alphanumerics, underscores and hyphens. In order to do this, we have been using a modified version of the regular expression given for "illegalCharactersRegex" at http://world.episerver.com/Documentation/Items/Tech-Notes/EPiServer-CMS-6/EPiServer-CMS-6-R2/Configuration---episerver-Section/.

I've modified this regex by adding a check for characters other than alphanumerics, underscores, hyphens, a period (for extensions), and a slash (for directory/filename separators) as follows:

illegalCharactersRegex="[^A-Za-z0-9\-_\./]|^COM[0-9]([/\.]|$)|^LPT[0-9]([/\.]|$)|^PRN([/\.]|$)|^CLOCK\$([/\.]|$)|^AUX([/\.]|$)|^NUL([/\.]|$)|^CON([/\.]|$)"

However, this regex is matching even when I attempt to upload a file whose name is simply "test".

I've tested by setting the illegalCharactersRegex to test for specific individual characters and I've found that in particular, it matches on a tilde (~) when uploading a file with the same name as one already in the file manager, but not when uploading a file with a completely new name, so clearly there is some kind of transformation being carried out on the file/directory name somewhere along the line.

I have two questions here:

1. What is the exact format of the file or directory name that is tested against illegalCharactersRegex? Are files and directories tested together as a single path, or as different components of the path?

2. What is being tested other than the file or directory name? Where is the tilde coming from, and what else is being passed to the regex that I don't know about?