Fileboard filenames are not sanitized on server

XSS potential is there, links can verifiably be broken to not work (just 404s). Have not tried to break the html tags though. Solution should be to do like imageboard, just save unix file and do display/download to show the original filename. Result will be safe, and same for end user. Alternatively sanitize it, but I'm not a huge fan of saving the og filenames on the server either way.