diff --git a/interface/web/sites/lib/lang/en_webdav_user.lng b/interface/web/sites/lib/lang/en_webdav_user.lng
index 09cf6ff40ea4f8726fb249a72dd5c8ebfa2fea1f..3d43cfc5aad99f7d5c26785192557ddc76085472 100644
--- a/interface/web/sites/lib/lang/en_webdav_user.lng
+++ b/interface/web/sites/lib/lang/en_webdav_user.lng
@@ -13,4 +13,6 @@ $wb["username_error_regex"] = 'The username contains charachters that are not al
$wb["directory_error_empty"] = 'Directory empty.';
$wb["parent_domain_id_error_empty"] = 'No website selected.';
$wb['password_strength_txt'] = 'Password strength';
+$wb['dir_dot_error'] = 'No .. in path allowed.';
+$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
?>
diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php
index 5d5a617d897f191ce14d8c0906cfc8f2ec6fcfa0..2d7dc41165d59df85a99dd0dd184b4f2c660be5f 100644
--- a/interface/web/sites/webdav_user_edit.php
+++ b/interface/web/sites/webdav_user_edit.php
@@ -114,7 +114,9 @@ class page_action extends tform_actions {
*/
if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'
';
if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'
';
-
+ if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'
';
+ if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'
';
+
parent::onSubmit();
}