FIX #yogosha6944 Protection against traversal path.

htdocs/document.php

@@ -195,7 +195,8 @@ if (!in_array($type, array('text/x-javascript')) && !dolIsAllowedForPreview($ori
 }
 
 // Security: Delete string ../ into $original_file
-$original_file = str_replace("../", "/", $original_file);
+$original_file = str_replace('../', '/', $original_file);
+$original_file = str_replace('..\\', '/', $original_file);
 
 // Find the subdirectory name as the reference
 $refname = basename(dirname($original_file)."/");