diff --git a/control/app_files.py b/control/app_files.py
index a3ff889..fa6ed13 100644
--- a/control/app_files.py
+++ b/control/app_files.py
@@ -44,7 +44,7 @@ def init_files_router(session, podman_api_base: str, workloads_dir: str) -> APIR
 
     @router.get("/workloads/read/{filename:path}")
     def read_workload(filename: str):
-        path = os.path.join(workloads_dir, filename)
+        path = _files_safe_join(filename)
         if not os.path.exists(path):
             raise HTTPException(404)
         with open(path, 'r') as f:
@@ -55,7 +55,7 @@ def init_files_router(session, podman_api_base: str, workloads_dir: str) -> APIR
     def save_workload_file(data: dict):
         path = data.get("path")
         content = data.get("content")
-        full_path = os.path.join(workloads_dir, path)
+        full_path = _files_safe_join(path)
         os.makedirs(os.path.dirname(full_path), exist_ok=True)
         with open(full_path, "w") as f:
             f.write(content)
@@ -63,7 +63,7 @@ def init_files_router(session, podman_api_base: str, workloads_dir: str) -> APIR
 
     @router.post("/workloads/deploy/{filename:path}")
     def deploy_workload(filename: str):
-        path = os.path.join(workloads_dir, filename)
+        path = _files_safe_join(filename)
         with open(path, 'r') as f:
             yaml_content = f.read()
         url = f"{podman_api_base}/libpod/kube/play"