diff --git a/format/fsck.cgi b/format/fsck.cgi
index e639745c1..a2671a7b7 100755
--- a/format/fsck.cgi
+++ b/format/fsck.cgi
@@ -7,8 +7,9 @@ $access{'view'} && &error($text{'ecannot'});
 &ReadParse();
 &can_edit_disk($in{'dev'}) || &error($text{'fsck_ecannot'});
 &ui_print_header(undef, $text{'fsck_title'}, "");
+$in{'mode'} =~ /^-(m|n|y)$/ || &error($text{'fsck_ecannot'});
 $in{dev} =~ s/dsk/rdsk/g;
-$cmd = "fsck -F ufs $in{mode} $in{dev}";
+$cmd = "fsck -F ufs $in{mode} ".quotemeta($in{dev});
 
 print &text('fsck_exec', "<tt>$cmd</tt>"),"<p>\n";
 print "<pre>\n";
diff --git a/format/newfs.cgi b/format/newfs.cgi
index 86a39ccd6..d6ce99e18 100755
--- a/format/newfs.cgi
+++ b/format/newfs.cgi
@@ -16,13 +16,15 @@ $cmd .= &opt_check("ufs_f", '\d+', "-f");
 $cmd .= &opt_check("ufs_i", '\d+', "-i");
 $cmd .= &opt_check("ufs_m", '\d+', "-m");
 $cmd .= &opt_check("ufs_n", '\d+', "-n");
+$in{ufs_o} =~ /^(space|time)$/ || !$in{ufs_o} ||
+	&error($text{'newfs_ecannot'});
 $cmd .= $in{ufs_o} ? " -o $in{ufs_o}" : "";
 $cmd .= &opt_check("ufs_r", '\d+', "-r");
 $cmd .= &opt_check("ufs_s", '\d+', "-s");
 $cmd .= &opt_check("ufs_t", '\d+', "-t");
 $cmd .= &opt_check("ufs_cb", '\d+', "-C");
 $in{dev} =~ s/dsk/rdsk/g;
-$cmd .= " $in{dev}";
+$cmd .= " ".quotemeta($in{dev});
 
 &ui_print_header(undef, $text{'newfs_title'}, "");
 
diff --git a/format/tunefs.cgi b/format/tunefs.cgi
index 58e59c5da..bc0745dda 100755
--- a/format/tunefs.cgi
+++ b/format/tunefs.cgi
@@ -13,9 +13,11 @@ $cmd .= &opt_check("tunefs_a", '\d+', "-a");
 $cmd .= &opt_check("tunefs_d", '\d+', "-d");
 $cmd .= &opt_check("tunefs_e", '\d+', "-e");
 $cmd .= &opt_check("tunefs_m", '\d+', "-m");
+$in{tunefs_o} =~ /^(space|time)$/ || !$in{tunefs_o} ||
+	&error($text{'tunefs_ecannot'});
 $cmd .= $in{tunefs_o} ? " -o $in{tunefs_o}" : "";
 $in{dev} =~ s/dsk/rdsk/g;
-$cmd .= " $in{dev}";
+$cmd .= " ".quotemeta($in{dev});
 
 &ui_print_header(undef, $text{'tunefs_title'}, "");