If the first char is not alphanumeric, remove it, and keep removing until an alphanumeric char is found
If the string "../" (and basically all variants, url encoding etc.) are present, replace them with nothing, and keep replacing until none are left.
We can bypass this by having a decoy path parameter as something random (as long as its not an actual dir i think its fine), and then having an "&&path=" to add another path variable, which is unfiltered.
