diff --git a/jbake-core/src/main/java/org/jbake/app/ZipUtil.java b/jbake-core/src/main/java/org/jbake/app/ZipUtil.java
index 481b94a1..8b94c4e5 100644
--- a/jbake-core/src/main/java/org/jbake/app/ZipUtil.java
+++ b/jbake-core/src/main/java/org/jbake/app/ZipUtil.java
@@ -28,7 +28,10 @@ public static void extract(InputStream is, File outputFolder) throws IOException
         byte[] buffer = new byte[1024];
 
         while ((entry = zis.getNextEntry()) != null) {
-            File outputFile = new File(outputFolder.getCanonicalPath() + File.separatorChar + entry.getName());
+            File outputFile = new File(outputFolder.getCanonicalPath(), entry.getName());
+            if (!outputFile.toPath().normalize().startsWith(outputFolder.getCanonicalPath())) {
+                throw new IOException("Bad zip entry");
+            }
             File outputParent = new File(outputFile.getParent());
             outputParent.mkdirs();