delete.php is vulnerable to path traversal (the filter can be bypassed using ".../.../" instead of "../../"). See #210