Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n<script>alert('hello')</script>". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read:
-/\A[\w\.\-\+]+\z/ # 
-fn1. Obviously, this regular expression gets rendered incorrectly by Textile. Could the original author please see into this?
-fn2. And this too, please.
h4. Privilege escalation
-- _Changing a single parameter may give the user unauthorized access. Remember that every parameter may be changed, no matter how much you hide or obfuscate it._