diff --git a/app/main/views.py b/app/main/views.py
index 4070e7dea..e13b21687 100644
--- a/app/main/views.py
+++ b/app/main/views.py
@@ -1,4 +1,5 @@
 from flask import render_template, redirect, request, jsonify, send_file, abort, current_app
+from werkzeug.utils import safe_join 
 from flask_login import current_user, login_required, login_user, logout_user
 from .. import db
 from .. import plugins
@@ -679,7 +680,7 @@ def swapactionorder():  # TODO: sort out permissions for this (e.g. who has the
 @login_required
 def static_file(path):
     # TODO: this looks a bit unsafe to me
-    return send_file("../plugins/" + path)
+    return send_file(safe_join('../plugins/',path))
 
 
 def str_to_bool(str):