[SECURITY] Disallow pht as file extension