use realpath and validate tpl directory contents

to ensure only php files inside the tpl dir can get used as templates

tst/ViewTest.php

@@ -141,4 +141,13 @@ class ViewTest extends TestCase
         $this->expectExceptionCode(80);
         $test->draw('123456789 does not exist!');
     }
+
+    public function testInvalidTemplate()
+    {
+        $test = new View;
+        $this->expectException(Exception::class);
+        $this->expectExceptionCode(81);
+        $test->draw('../index');
+    }
+
 }