diff --git a/Aquaria/ScriptInterface.cpp b/Aquaria/ScriptInterface.cpp
index 3284ced..76af7ff 100644
--- a/Aquaria/ScriptInterface.cpp
+++ b/Aquaria/ScriptInterface.cpp
@@ -656,6 +656,32 @@ inline float interpolateVec3(lua_State *L, InterpolatedVector& vec, int argOffs)
 		getBool(L, argOffs+6));              // ease
 }
 
+static void safePath(lua_State *L, const std::string& path)
+{
+	// invalid characters for file/path names.
+	// Filter out \ as well, it'd work on on win32 only, so it's not supposed to be used.
+	size_t invchr = path.find_first_of("\\\":*?<>|");
+	if(invchr != std::string::npos)
+	{
+		lua_pushfstring(L, "Invalid char in path/file name: %c", path[invchr]);
+		lua_error(L);
+	}
+	// Block attempts to access files outside of the "safe area"
+	if(path.length())
+	{
+		if(path[0] == '/')
+		{
+			lua_pushliteral(L, "Absolute paths are not allowed");
+			lua_error(L);
+		}
+		if(path.find("../") != std::string::npos)
+		{
+			lua_pushliteral(L, "Accessing parent is not allowed");
+			lua_error(L);
+		}
+	}
+}
+
 
 //----------------------------------//
 
@@ -833,6 +859,15 @@ luaFunc(loadfile_caseinsensitive)
 	}
 }
 
+luaFunc(fileExists)
+{
+	const std::string s = getString(L);
+	safePath(L, s);
+	std::string res;
+	bool there = findFile_helper(s.c_str(), res);
+	luaReturnBool(there);
+}
+
 
 
 // ----- RenderObject common functions -----
@@ -8801,6 +8836,8 @@ static const struct {
 	{"dofile", l_dofile_caseinsensitive},
 	{"loadfile", l_loadfile_caseinsensitive},
 
+	luaRegister(fileExists),
+
 	luaRegister(debugBreak),
 	luaRegister(setIgnoreAction),
 	luaRegister(isIgnoreAction),