Most languages have functions to get the "basename" of a file path (e.g., basename() in PHP), which strips out all directory information and leaves only the filename.
.. represents the "parent directory" in file system navigation. -template-..-2F..-2F..-2F..-2Froot-2F
If the developer decodes -2F to / but doesn’t sanitize .. , the request: ?template=-template-..-2F..-2F..-2F..-2Froot-2Fsecret.txt → becomes: /var/www/templates/-template-../../../../root/secret.txt Template for Detailed Write-up Use Built-in Functions: Most