diff --git a/lang/en b/lang/en
index fa480eb64..0bbfdbb05 100644
--- a/lang/en
+++ b/lang/en
@@ -267,7 +267,7 @@ progress_size2=Downloading $1 ($2) ..
 progress_nosize=Downloading $1 ..
 progress_datan=Received $1 ($2 %)
 progress_data2n=Received $1
-progress_done=.. download complete.
+progress_done=.. download complete
 progress_incache=Found $1 in cache ..
 
 readparse_cdheader=Missing Content-Disposition header
diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 29dad3119..a30cc5bcd 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -5255,8 +5255,11 @@ $config_file = "$config_directory/config";
 %gconfig = ( );
 &read_file_cached($config_file, \%gconfig);
 $gconfig{'webprefix'} = '' if (!exists($gconfig{'webprefix'}));
-if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'}) {
+if (!$gconfig{'webprefix'} && $gconfig{'webprefix_remote'} &&
+    defined($ENV{'HTTP_X_WEBMIN_WEBPREFIX'})) {
 	$gconfig{'webprefix'} = $ENV{'HTTP_X_WEBMIN_WEBPREFIX'};
+	# Filter out potentially dangerous characters
+	$gconfig{'webprefix'} =~ s/[^a-zA-Z0-9\.\-_\/]//g;
 	}
 $null_file = $gconfig{'os_type'} eq 'windows' ? "NUL" : "/dev/null";
 $path_separator = $gconfig{'os_type'} eq 'windows' ? ';' : ':';