From a990ab8f62daf3427ed4fa21ad2fef5a92d6b936 Mon Sep 17 00:00:00 2001
From: Andrew Pikul <ajpikul@gmail.com>
Date: Mon, 2 Jun 2025 12:37:29 -0400
Subject: [PATCH 1/3] Escape user-supplied strings regex

---
 src/py/kaleido/_fig_tools.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/py/kaleido/_fig_tools.py b/src/py/kaleido/_fig_tools.py
index 84e5daa5..5bcac2f0 100644
--- a/src/py/kaleido/_fig_tools.py
+++ b/src/py/kaleido/_fig_tools.py
@@ -91,7 +91,9 @@ def to_spec(figure, layout_opts):
 
 def _next_filename(path, prefix, ext):
     default = 1 if (path / f"{prefix}.{ext}").exists() else 0
-    re_number = re.compile(r"^" + prefix + r"-(\d+)\." + ext + r"$")
+    re_number = re.compile(
+        r"^" + re.escape(prefix) + r"\-(\d+)\." + re.escape(ext) + r"$",
+    )
     numbers = [
         int(match.group(1))
         for name in path.glob(f"{prefix}-*.{ext}")

From 49679546a4acac55a163b3e6c9ca5916ea62caa0 Mon Sep 17 00:00:00 2001
From: Andrew Pikul <ajpikul@gmail.com>
Date: Mon, 2 Jun 2025 13:04:50 -0400
Subject: [PATCH 2/3] Update CHANGELOG

---
 src/py/CHANGELOG.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/py/CHANGELOG.txt b/src/py/CHANGELOG.txt
index a4ff80ce..39027af5 100644
--- a/src/py/CHANGELOG.txt
+++ b/src/py/CHANGELOG.txt
@@ -1,3 +1,6 @@
+v1.0.0rc15
+- BUG: Add regex sanitization for auto-filename generation
+
 v1.0.0rc14
 - Pass `plotlyjs` option through from Kaleido() to PageGenerator()
 

From b83b6b8facf4ba7e9cc2c04f10013a998f124f1d Mon Sep 17 00:00:00 2001
From: Andrew Pikul <ajpikul@gmail.com>
Date: Mon, 2 Jun 2025 17:19:22 -0400
Subject: [PATCH 3/3] Sanitize glob as well

---
 src/py/kaleido/_fig_tools.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/py/kaleido/_fig_tools.py b/src/py/kaleido/_fig_tools.py
index 5bcac2f0..776f8065 100644
--- a/src/py/kaleido/_fig_tools.py
+++ b/src/py/kaleido/_fig_tools.py
@@ -1,3 +1,4 @@
+import glob
 import re
 from pathlib import Path
 
@@ -94,9 +95,11 @@ def _next_filename(path, prefix, ext):
     re_number = re.compile(
         r"^" + re.escape(prefix) + r"\-(\d+)\." + re.escape(ext) + r"$",
     )
+    escaped_prefix = glob.escape(prefix)
+    escaped_ext = glob.escape(ext)
     numbers = [
         int(match.group(1))
-        for name in path.glob(f"{prefix}-*.{ext}")
+        for name in path.glob(f"{escaped_prefix}-*.{escaped_ext}")
         if (match := re_number.match(Path(name).name))
     ]
     n = max(numbers, default=default) + 1