diff --git a/dialects/nodepomf/dialect.loki_nodepomf.js b/dialects/nodepomf/dialect.loki_nodepomf.js
index 4077e30..e1a8e66 100644
--- a/dialects/nodepomf/dialect.loki_nodepomf.js
+++ b/dialects/nodepomf/dialect.loki_nodepomf.js
@@ -88,10 +88,10 @@ module.exports = (app, prefix) => {
   /// ************************************************
 
   app.use(prefix + '/loki/v1/f/:file', function(req, res) {
-    const safePath = req.params.file.replace(/[\.\/]/g, '');
+    const safePath = req.params.file.replace(/\.\.\//g, '');
 
     try {
-      const buf = fs.readFileSync('files/' + safePath);
+      const buf = fs.readFileSync(fileUploadPath + '/' + safePath);
 
       /// NOTE: attachments in private conversations are saved under
       /// `/root/nodepomf/files/` (not in `files/` relative to current dir)