diff --git a/src/main/java/org/hl7/fhir/tools/publisher/WebMaker.java b/src/main/java/org/hl7/fhir/tools/publisher/WebMaker.java
index dd42849e..cc6adac5 100644
--- a/src/main/java/org/hl7/fhir/tools/publisher/WebMaker.java
+++ b/src/main/java/org/hl7/fhir/tools/publisher/WebMaker.java
@@ -149,7 +149,11 @@ private void extractZip(String src, String dest) throws Exception {
 			  String name = ze.getName();
 			  if (name.endsWith(".html") || name.endsWith(".htm") || name.endsWith(".png") || name.endsWith(".css")) {
 				  InputStream in = zf.getInputStream(ze);
-				  OutputStream out = new FileOutputStream(dest+name);
+       final File zipEntryFile = new File(dest, name);
+       if (!zipEntryFile.toPath().normalize().startsWith(dest)) {
+         throw new RuntimeException("Bad zip entry");
+       }
+				  OutputStream out = new FileOutputStream(zipEntryFile);
 
 				  byte data[] = new byte[BUFFER];
 				  int count;