Is there a way to prevent a maliciously-named file from causing a Javascript injection? If you use a Mac (so that you're not bound by Windows filename conventions) and name a file with javascript in the file name, it's possible to cause the page to fire that javascript. I've already disabled the 'show filename' option, but it still is firing when I test this.