I'm writing an application that can download files, and takes a queue on where to stick the result from the name of the original file, and a user name. This is similar to what many instant messaging clients do with their downloads.

Is there any easier way than listing out potential operating systems with #ifdef clauses to create a directory from an unsanitized string, i.e. the user name?

I'm running into problems because if the strings contain file system special characters (things like : or \ on Windows) the call to mkpath fails. Furthermore, I'm concerned about security, where malicious things like \..\..\..\Windows\command.exe could be slipped in, where nasty files could be downloaded into inappropriate locations.