I'm writing an application that can download files, and takes a queue on where to stick the result from the name of the original file, and a user name. This is similar to what many instant messaging clients do with their downloads.

Is there any easier way than listing out potential operating systems with #ifdef clauses to create a directory from an unsanitized string, i.e. the user name?

I'm running into problems because if the strings contain file system special characters (things like : or \ on Windows) the call to mkpath fails. Furthermore, I'm concerned about security, where malicious things like \..\..\..\Windows\command.exe could be slipped in, where nasty files could be downloaded into inappropriate locations.

Why not just convert every character that isn't in the range A-Z 0-9 to underscore?

I'd like to be able to handle things like user names that consist entirely of foreign language characters as well though.

I could try for a fairly blunt approach and use regex to strip all of the following characters: /\:"*?<>|¥
However, it seems pretty unreliable to me, since it's not capable of adapting at all in case there is some additional character I missed (like the Yen symbol).

Although, now that I think about it again, that won't work cross-platform, because are there some OS and filesystem combinations that don't support Unicode?

I can't think of many FS that don't fully support Unicode (even an FS like FAT12 can gain unicode capability by using the VFAT extension)

However, a lot of applications will not understand any non-ASCII filename (including a lot of file managers).