Add example of manual sanitisation.

javascript/ql/src/Security/CWE-078/CommandInjection.inc.qhelp

@@ -43,6 +43,11 @@ you can use a library like <code>shell-quote</code> to parse the user input into
 an array of arguments without risking command injection:</p>
 
 <sample src="examples/command-injection_shellquote.js" />
+
+<p>Alternatively, the original example can be made safe by checking the filename
+against an allowlist of safe characters before using it:</p>
+
+<sample src="examples/command-injection_allowlist.js" />
 </example>
 
 <references>

javascript/ql/src/Security/CWE-078/examples/command-injection_allowlist.js

@@ -0,0 +1,12 @@
+var cp = require("child_process"),
+    http = require('http'),
+    url = require('url');
+
+var server = http.createServer(function(req, res) {
+    let file = url.parse(req.url, true).query.path;
+
+    // only allow safe characters in file name
+    if (file.match(/^[\w\.\-\/]+$/)) {
+        cp.execSync(`wc -l ${file}`); // GOOD
+    }
+});