Who says it must be platform independent? Not every script ever written needs to be portable. What is reasonable depends on the application, so I don't think it's something you can put on File::Spec.

For example, if you are writing a CGI that is supposed to serve a file to the user, you can probably have all such files confined to a specific directory, and allow only relative filenames that don't contain double dots. To be on the safe side, I would constrain the filename to the smallest possible set of characters, such as /^\w+$/. But again, it depends on the application.