# check for tainted data
my $files = $q->param( "files") || error( $q, "couldn't read File value");
$files =~ /^([\/.\w.]+)$/;
# The "untainted" file is now in $1
$files = $1;
die "Bad filename" unless $files;

foreach ($files){
unlink($_);
}