-url_re = re.compile(r"[a-z]{3,8}://[^\s'\"]+\S")
-ext_re = re.compile(r"\.([^\./]+)$")
+# FIXME: we accept stuff like foo/../bar and we shouldn't
+file_re = re.compile(r"([A-Za-z0-9_\-][A-Za-z0-9_\.\-/]*)")
+url_re = re.compile(r"[a-z]{3,8}://[^\s'\"]+\S")
+ext_re = re.compile(r"\.([^\./]+)$")