diff --git a/flask_webgoat/actions.py b/flask_webgoat/actions.py
index 4bcbc4d9..639de499 100644
--- a/flask_webgoat/actions.py
+++ b/flask_webgoat/actions.py
@@ -2,6 +2,7 @@
 import base64
 from pathlib import Path
 import subprocess
+import re
 
 from flask import Blueprint, request, jsonify, session
 
@@ -23,6 +24,9 @@ def log_entry():
     if text_param is None:
         return jsonify({"error": "text parameter is required"})
 
+    # Sanitize filename_param to prevent directory traversal
+    filename_param = re.sub(r'[^\w\s-]', '', filename_param)
+
     user_id = user_info[0]
     user_dir = "data/" + str(user_id)
     user_dir_path = Path(user_dir)
@@ -32,7 +36,6 @@ def log_entry():
     filename = filename_param + ".txt"
     path = Path(user_dir + "/" + filename)
     with path.open("w", encoding="utf-8") as open_file:
-        # vulnerability: Directory Traversal
         open_file.write(text_param)
     return jsonify({"success": True})
 
@@ -60,3 +63,4 @@ def deserialized_descr():
     # vulnerability: Insecure Deserialization
     deserialized = pickle.loads(data)
     return jsonify({"success": True, "description": str(deserialized)})
+