diff --git a/interface/lib/classes/functions.inc.php b/interface/lib/classes/functions.inc.php
index 57e5fdc64d8a46687b05b7f0967c3e41349299a6..c9485346169c435ad9dd3af53542099e13940091 100644
--- a/interface/lib/classes/functions.inc.php
+++ b/interface/lib/classes/functions.inc.php
@@ -477,6 +477,28 @@ class functions {
 		
 		return $out;
 	}
+	
+	// Function to check paths before we use it as include. Use with absolute paths only.
+	public function check_include_path($path) {
+		if(strpos($path,'//')) die('Include path seems to be an URL: '.$this->htmlentities($path));
+		if(strpos($path,'..')) die('Two dots are not allowed in include path: '.$this->htmlentities($path));
+		if(!preg_match("/^[a-zA-Z0-9_\/\.\-]{1,}$/", $path)) die('Wrong chars in include path: '.$this->htmlentities($path));
+		$path = realpath($path);
+		if($path == '') die('Include path does not exist.');
+		if(substr($path,0,strlen(ISPC_ROOT_PATH)) != ISPC_ROOT_PATH) die('Path '.$this->htmlentities($path).' is outside of ISPConfig installation directory.');
+		return $path;
+	}
+	
+	// Function to check language strings
+	public function check_language($language) {
+		global $app;
+		if(preg_match('/^[a-z]{2}$/',$language)) {
+			 return $language;
+		} else {
+			die('Invalid language string: '.$this->htmlentities($language));	
+		}
+	}
+	
 }
 
 ?>
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
index 15a1a53add169892e4aaba3e1b7d4dcb775d398c..4b92daa73c2cba5cc8b7ec01ee170a452e20a3c8 100644
--- a/interface/lib/classes/listform.inc.php
+++ b/interface/lib/classes/listform.inc.php
@@ -60,7 +60,7 @@ class listform {
 		}
 
 		//* Set local Language File
-		$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_'.$this->listDef['name'].'_list.lng';
+		$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_'.$this->listDef['name'].'_list.lng';
 		if(!file_exists($lng_file)) $lng_file = 'lib/lang/en_'.$this->listDef['name'].'_list.lng';
 		include $lng_file;
 
diff --git a/interface/lib/classes/listform_actions.inc.php b/interface/lib/classes/listform_actions.inc.php
index b4366feaa6535782c082cee801ecbf08924f224b..a13c3fdb739691b6f49f494a1d0de15f1aa406a6 100644
--- a/interface/lib/classes/listform_actions.inc.php
+++ b/interface/lib/classes/listform_actions.inc.php
@@ -249,7 +249,7 @@ class listform_actions {
 		global $app;
 
 		//* Set global Language File
-		$lng_file = ISPC_LIB_PATH.'/lang/'.$_SESSION['s']['language'].'.lng';
+		$lng_file = ISPC_LIB_PATH.'/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
 		if(!file_exists($lng_file))
 			$lng_file = ISPC_LIB_PATH.'/lang/en.lng';
 		include $lng_file;
diff --git a/interface/lib/classes/listform_tpl_generator.inc.php b/interface/lib/classes/listform_tpl_generator.inc.php
index 0cb158bb39ee6666738b9c28d9bee673030ecd80..031f7a1e564516f037d4f81a4ca6180ba351f673 100644
--- a/interface/lib/classes/listform_tpl_generator.inc.php
+++ b/interface/lib/classes/listform_tpl_generator.inc.php
@@ -153,10 +153,10 @@ class listform_tpl_generator {
 	}
 
 	function lng_add($lang, $listDef, $module = '') {
-		global $go_api, $go_info, $conf;
+		global $app, $conf;
 
 		if($module == '') {
-			$lng_file = "lib/lang/".$conf["language"]."_".$listDef['name']."_list.lng";
+			$lng_file = "lib/lang/".$app->functions->check_language($conf["language"])."_".$listDef['name']."_list.lng";
 		} else {
 			$lng_file = '../'.$module."/lib/lang/en_".$listDef['name']."_list.lng";
 		}
diff --git a/interface/lib/classes/plugin_backuplist.inc.php b/interface/lib/classes/plugin_backuplist.inc.php
index 8e62589f76e5de1c3dcfe01cbb4dddb6bae9ec6f..e96be012e3d6847d43ba990cd9b79c82c3f247f3 100644
--- a/interface/lib/classes/plugin_backuplist.inc.php
+++ b/interface/lib/classes/plugin_backuplist.inc.php
@@ -45,7 +45,7 @@ class plugin_backuplist extends plugin_base {
 		$listTpl->newTemplate('templates/web_backup_list.htm');
 
 		//* Loading language file
-		$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_web_backup_list.lng";
+		$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_web_backup_list.lng";
 		include $lng_file;
 		$listTpl->setVar($wb);
 
diff --git a/interface/lib/classes/plugin_backuplist_mail.inc.php b/interface/lib/classes/plugin_backuplist_mail.inc.php
index 512fb8c9f05a6de50e0b54a1745cbce031d8f483..af133556097d4d329132a31199900eec004f2e70 100644
--- a/interface/lib/classes/plugin_backuplist_mail.inc.php
+++ b/interface/lib/classes/plugin_backuplist_mail.inc.php
@@ -46,7 +46,7 @@ class plugin_backuplist_mail extends plugin_base {
 		$listTpl->newTemplate('templates/mail_user_backup_list.htm');
 				
 		//* Loading language file
-		$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_mail_backup_list.lng";
+		$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_mail_backup_list.lng";
 		include($lng_file);
 		$listTpl->setVar($wb);
 
diff --git a/interface/lib/classes/plugin_directive_snippets.inc.php b/interface/lib/classes/plugin_directive_snippets.inc.php
index 41138bca1e5891723289a548b9edb9c4ccf19789..555526444692816837a52bfbd393da77edefce57 100644
--- a/interface/lib/classes/plugin_directive_snippets.inc.php
+++ b/interface/lib/classes/plugin_directive_snippets.inc.php
@@ -18,7 +18,7 @@ class plugin_directive_snippets extends plugin_base
 		$listTpl->newTemplate('templates/web_directive_snippets.htm');
 
 		//* Loading language file
-		$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_web_directive_snippets.lng";
+		$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_web_directive_snippets.lng";
 
 		include $lng_file;
 		$listTpl->setVar($wb);
diff --git a/interface/lib/classes/plugin_listview.inc.php b/interface/lib/classes/plugin_listview.inc.php
index c9d8340e02e290de97bedba9a4edb530aca6a7b4..bd0aa0e160105701a956f69780c95daa6b18dc2a 100644
--- a/interface/lib/classes/plugin_listview.inc.php
+++ b/interface/lib/classes/plugin_listview.inc.php
@@ -120,7 +120,7 @@ class plugin_listview extends plugin_base {
 		}
 
 		// Loading language field
-		$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_".$app->listform->listDef['name']."_list.lng";
+		$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_".$app->listform->listDef['name']."_list.lng";
 		include $lng_file;
 		$listTpl->setVar($wb);
 
diff --git a/interface/lib/classes/searchform_actions.inc.php b/interface/lib/classes/searchform_actions.inc.php
index e48eb8544de5bfbfe2c5efd2fd419ba1eb184e08..c4372982c0ae5fbd0a7d94683b57d9dd1e96a538 100644
--- a/interface/lib/classes/searchform_actions.inc.php
+++ b/interface/lib/classes/searchform_actions.inc.php
@@ -151,10 +151,10 @@ class searchform_actions {
 		global $app;
 
 		// Language File setzen
-		$lng_file = ISPC_WEB_PATH.'/lang/lib/lang/'.$_SESSION['s']['language'].'_list.lng';
+		$lng_file = ISPC_WEB_PATH.'/lang/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_list.lng';
 		if(!file_exists($lng_file)) $lng_file = ISPC_WEB_PATH.'/lang/lib/lang/en_'.'_list.lng';
 		include $lng_file;
-		$lng_file = "lib/lang/".$_SESSION["s"]["language"]."_".$app->searchform->listDef['name']."_search.lng";
+		$lng_file = "lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_".$app->searchform->listDef['name']."_search.lng";
 		if(!file_exists($lng_file)) $lng_file = 'lib/lang/en_'.$app->searchform->listDef['name']."_search.lng";
 		include $lng_file;
 		$app->tpl->setVar($wb);
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 0e839c53d3e5aec2263032a896e81b13aa2369e5..3dc9edacc18b10f87fe8befba9d6d3252ee7b2ba 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -134,7 +134,7 @@ class tform_base {
 		$this->module = $module;
 		$wb = array();
 
-		include_once ISPC_ROOT_PATH.'/lib/lang/'.$_SESSION['s']['language'].'.lng';
+		include_once ISPC_ROOT_PATH.'/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
 
 		if(is_array($wb)) $wb_global = $wb;
 
@@ -143,7 +143,7 @@ class tform_base {
 			if(!file_exists($lng_file)) $lng_file = "lib/lang/en_".$this->formDef["name"].".lng";
 			include $lng_file;
 		} else {
-			$lng_file = "../$module/lib/lang/".$_SESSION["s"]["language"]."_".$this->formDef["name"].".lng";
+			$lng_file = "../$module/lib/lang/".$app->functions->check_language($_SESSION["s"]["language"])."_".$this->formDef["name"].".lng";
 			if(!file_exists($lng_file)) $lng_file = "../$module/lib/lang/en_".$this->formDef["name"].".lng";
 			include $lng_file;
 		}
diff --git a/interface/lib/classes/tform_tpl_generator.inc.php b/interface/lib/classes/tform_tpl_generator.inc.php
index f841a09a69f2a08e0c6e46dbdb6dc3cf59642b1d..f0d9649b9c8aed746d46177bf02ddc1e6d483038 100644
--- a/interface/lib/classes/tform_tpl_generator.inc.php
+++ b/interface/lib/classes/tform_tpl_generator.inc.php
@@ -298,7 +298,7 @@ class tform_tpl_generator {
 	function lng_add($lang, $formDef) {
 		global $go_api, $go_info, $conf;
 
-		$lng_file = "lib/lang/".$conf["language"]."_".$formDef['name'].".lng";
+		$lng_file = "lib/lang/".$app->functions->check_language($conf["language"])."_".$formDef['name'].".lng";
 		if(is_file($lng_file)) {
 			include $lng_file;
 		} else {
diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php
index f58a2db16dbb6ce159149a8a6e17e86e9a7b6ddc..f36fd946d2de8523279c47286deae3f2617044d4 100644
--- a/interface/web/admin/language_add.php
+++ b/interface/web/admin/language_add.php
@@ -104,7 +104,7 @@ $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
 $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_add.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/admin/language_complete.php b/interface/web/admin/language_complete.php
index d28e89aa2576ee51d8b6e41030c10fdbded2c3c4..234685498d0486e8b7086e34e69e7c91f5e84d10 100644
--- a/interface/web/admin/language_complete.php
+++ b/interface/web/admin/language_complete.php
@@ -166,7 +166,7 @@ $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
 $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_complete.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_complete.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php
index c94a5eb2804ed1ef0323a960d49ef58e2c621f5e..f17c4ae9a8477c0e0792701bef2ef0c9090f934a 100644
--- a/interface/web/admin/language_edit.php
+++ b/interface/web/admin/language_edit.php
@@ -104,7 +104,7 @@ $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_edit.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_edit.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/admin/language_export.php b/interface/web/admin/language_export.php
index 44bc787bd33eefdc29a28f5f3ee00bba9cddd921..3f54e53af8f590e1fa071ba5cd622c19b9e882d5 100644
--- a/interface/web/admin/language_export.php
+++ b/interface/web/admin/language_export.php
@@ -111,7 +111,7 @@ if(isset($_POST['lng_select']) && $error == '') {
 $app->tpl->setVar('msg', $msg);
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_export.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_export.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/admin/language_import.php b/interface/web/admin/language_import.php
index 2e702198048a1de1fdb5a787d9aebe0b6d16a496..6a2d0b5ba65a2e14afb0a8a0f756439388209fb1 100644
--- a/interface/web/admin/language_import.php
+++ b/interface/web/admin/language_import.php
@@ -194,7 +194,7 @@ $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
 $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_import.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/admin/language_list.php b/interface/web/admin/language_list.php
index 2cb28dc187f1a7f2649715029ae4b584df690576..b935bddd9599bd13d645f3e23af4a35fd2c68127 100644
--- a/interface/web/admin/language_list.php
+++ b/interface/web/admin/language_list.php
@@ -97,7 +97,7 @@ $app->tpl->setLoop('records', $language_files_list);
 
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_list.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_language_list.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/admin/remote_action_ispcupdate.php b/interface/web/admin/remote_action_ispcupdate.php
index f22661e1d47282215c4921f04241f7bfe9407154..938f25a1a37259a0ea229fe1124a27c1f9c0ea7b 100644
--- a/interface/web/admin/remote_action_ispcupdate.php
+++ b/interface/web/admin/remote_action_ispcupdate.php
@@ -44,7 +44,7 @@ $app->tpl->newTemplate('form.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/remote_action_ispcupdate.htm');
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_remote_action.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_remote_action.lng';
 include $lng_file;
 
 /*
diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php
index 5e73cdfd0f874bccc5d3ee780112ea56113cff35..e39cf0eedfe5c0925e14bc2cf1b7cdd0bbd10b62 100644
--- a/interface/web/admin/remote_action_osupdate.php
+++ b/interface/web/admin/remote_action_osupdate.php
@@ -43,7 +43,7 @@ $app->tpl->newTemplate('form.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/remote_action_osupdate.htm');
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_remote_action.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_remote_action.lng';
 include $lng_file;
 
 /*
diff --git a/interface/web/admin/software_package_list.php b/interface/web/admin/software_package_list.php
index 5e552dbee7b9497c26bf17571c561cb85c4efbe9..b6664d4234ce27fdfc398877ad77e31f80d7e181 100644
--- a/interface/web/admin/software_package_list.php
+++ b/interface/web/admin/software_package_list.php
@@ -184,7 +184,7 @@ if(is_array($packages) && count($packages) > 0) {
 $app->tpl->setLoop('records', $packages);
 
 $language = (isset($_SESSION['s']['language']))?$_SESSION['s']['language']:$conf['language'];
-include_once 'lib/lang/'.$language.'_software_package_list.lng';
+include_once 'lib/lang/'.$app->functions->check_language($language).'_software_package_list.lng';
 $app->tpl->setVar($wb);
 
 
diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php
index c987e9e04bebe9606a45cbac217d5c40925a7947..6d680c0ec1ce613db0e448866dbd0036a30c78fa 100644
--- a/interface/web/admin/software_update_list.php
+++ b/interface/web/admin/software_update_list.php
@@ -193,7 +193,7 @@ if(is_array($installed_packages)) {
 $app->tpl->setLoop('records', $records_out);
 
 $language = (isset($_SESSION['s']['language']))?$_SESSION['s']['language']:$conf['language'];
-include_once 'lib/lang/'.$language.'_software_update_list.lng';
+include_once 'lib/lang/'.$app->functions->check_language($language).'_software_update_list.lng';
 $app->tpl->setVar($wb);
 
 
diff --git a/interface/web/client/client_del.php b/interface/web/client/client_del.php
index dfb4e7464909dfe4d31724ec844b4e064230953d..2bddd02a0750294de606cb335e7710987c585f15 100644
--- a/interface/web/client/client_del.php
+++ b/interface/web/client/client_del.php
@@ -97,7 +97,7 @@ class page_action extends tform_actions {
 			$app->tpl->setLoop('records', $table_list);
 
 			//* load language file
-			$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_client_del.lng';
+			$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_client_del.lng';
 			include $lng_file;
 			$app->tpl->setVar($wb);
 
diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
index b4638bd2151ce076df7d96970166e163552d21ea..2617bbe67d9408a711933d6a68229022be4ed64b 100644
--- a/interface/web/client/client_message.php
+++ b/interface/web/client/client_message.php
@@ -42,7 +42,7 @@ $app->tpl->newTemplate('form.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/client_message.htm');
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_client_message.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_client_message.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/client/domain_del.php b/interface/web/client/domain_del.php
index 701b4494b8f92a1885a45ca750931a1f30a852f2..1165f3f936c141288955268a18b9d2080195f8c5 100644
--- a/interface/web/client/domain_del.php
+++ b/interface/web/client/domain_del.php
@@ -54,7 +54,7 @@ class page_action extends tform_actions {
 		global $app; $conf;
 
 		//* load language file
-		$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'.lng';
+		$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
 		include $lng_file;
 
 		/*
diff --git a/interface/web/client/domain_edit.php b/interface/web/client/domain_edit.php
index 8867e295783b6280bd6d26bff8c6f5e22a29b544..094e1899be3b8b7eb16f0c1b322d092884d5e851 100644
--- a/interface/web/client/domain_edit.php
+++ b/interface/web/client/domain_edit.php
@@ -49,7 +49,7 @@ $app->uses('tpl,tform,tform_actions');
 $app->load('tform_actions');
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
 include $lng_file;
 
 
diff --git a/interface/web/dashboard/dashboard.php b/interface/web/dashboard/dashboard.php
index 7f5fc6e2f0c537682077f4fbffe8a9e72b7ef3b4..5426ba9572cfb085de0891635b2243fc8218e86d 100644
--- a/interface/web/dashboard/dashboard.php
+++ b/interface/web/dashboard/dashboard.php
@@ -51,7 +51,7 @@ $app->uses('tpl');
 $app->tpl->newTemplate("templates/dashboard.htm");
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php
index 49c14185d016fca3462697b918983c8ebb0fe3d4..540a731ba24d53f805d35838b801ef2f83ad16d1 100644
--- a/interface/web/dns/dns_import.php
+++ b/interface/web/dns/dns_import.php
@@ -204,7 +204,7 @@ if ($settings['use_domain_module'] == 'y') {
 	}
 }
 
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_dns_import.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_dns_import.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
index 32112560a48ba9747f18eee43570acb6c4a96493..17d767550c5555320bf8e5fe19481032c6d26864 100644
--- a/interface/web/dns/dns_wizard.php
+++ b/interface/web/dns/dns_wizard.php
@@ -465,7 +465,7 @@ $csrf_token = $app->auth->csrf_token_get('dns_wizard');
 $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
 $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);
 
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_dns_wizard.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_dns_wizard.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/js/scrigo.js.php b/interface/web/js/scrigo.js.php
index 7c6bf31cbf4dcf4fa56f26afd9f53e7eb05170be..4022454f5b4b3a395d3425f9c5af3755b04f1a0e 100644
--- a/interface/web/js/scrigo.js.php
+++ b/interface/web/js/scrigo.js.php
@@ -3,6 +3,7 @@ include '../../lib/config.inc.php';
 header('Content-Type: text/javascript; charset=utf-8'); // the config file sets the content type header so we have to override it here!
 require_once '../../lib/app.inc.php';
 $lang = (isset($_SESSION['s']['language']) && $_SESSION['s']['language'] != '')?$_SESSION['s']['language']:'en';
+$lang = $app->functions->check_language($lang);
 include_once ISPC_ROOT_PATH.'/web/strengthmeter/lib/lang/'.$lang.'_strengthmeter.lng';
 
 $app->uses('ini_parser,getconf');
diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index 441de353ca5aa41fff7f7eaf8a96d1f7422be4a3..558896acb7477d99b14dcff998bd67a16f174864 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -229,12 +229,12 @@ if(count($_POST) > 0) {
 						if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!
 						$_SESSION['s']['user'] = $user;
 						$_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default';
-						$_SESSION['s']['language'] = $user['language'];
+						$_SESSION['s']['language'] = $app->functions->check_language($user['language']);
 						$_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme'];
 						if ($loginAs) $_SESSION['s']['plugin_cache'] = $_SESSION['s_old']['plugin_cache'];
 						
 						if(is_file(ISPC_WEB_PATH . '/' . $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) {
-							include_once ISPC_WEB_PATH . '/' . $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php';
+							include_once $app->functions->check_include_path(ISPC_WEB_PATH . '/' . $_SESSION['s']['user']['startmodule'].'/lib/module.conf.php');
 							$menu_dir = ISPC_WEB_PATH.'/' . $_SESSION['s']['user']['startmodule'] . '/lib/menu.d';
 								if (is_dir($menu_dir)) {
 								if ($dh = opendir($menu_dir)) {
diff --git a/interface/web/login/login_as.php b/interface/web/login/login_as.php
index 4b78c6c41b530b1a9a3b10842b53e9e12e6c084a..159f15b77ea390805c8f4f8ba3e5a855cb421459 100644
--- a/interface/web/login/login_as.php
+++ b/interface/web/login/login_as.php
@@ -83,7 +83,7 @@ $dbData = $app->db->queryOneRecord(
  * TODO: move the login_as form to a template file -> themeability
  */
 
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_login_as.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_login_as.lng';
 include $lng_file;
 
 echo '
diff --git a/interface/web/login/logout.php b/interface/web/login/logout.php
index a4a127ff8bcfa3cd3e48fcd1f3cfa311a070e84e..dc1c9e4a422055d1d3bdf450136d40b53c682887 100644
--- a/interface/web/login/logout.php
+++ b/interface/web/login/logout.php
@@ -43,7 +43,7 @@ if (isset($_GET['l']) && ($_GET['l']== 1)) $forceLogout = true;
 if ((isset($_SESSION['s_old']) && ($_SESSION['s_old']['user']['typ'] == 'admin' || $app->auth->has_clients($_SESSION['s_old']['user']['userid']))) &&
 	(!$forceLogout)){
 	$utype = ($_SESSION['s_old']['user']['typ'] == 'admin' ? 'admin' : 'reseller');
-	$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_login_as.lng';
+	$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_login_as.lng';
 	include $lng_file;
 	echo '
 		<br /> <br />	<br /> <br />
diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php
index e6976bff734798d0c5ee59440c161f072465540c..02c71f2948383a02202dfc4b53e83f2a5a2bbc46 100644
--- a/interface/web/login/password_reset.php
+++ b/interface/web/login/password_reset.php
@@ -43,7 +43,7 @@ $app->tpl->setInclude('content_tpl', 'templates/password_reset.htm');
 
 $app->tpl_defaults();
 
-include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
+include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
 $app->tpl->setVar($wb);
 $continue = true;
 
diff --git a/interface/web/mailuser/index.php b/interface/web/mailuser/index.php
index b7748ac1ccac8602b806abfc655ef75db125e2b5..c9541df2bd1919395946bcd1379cd16727cbeeb9 100644
--- a/interface/web/mailuser/index.php
+++ b/interface/web/mailuser/index.php
@@ -13,7 +13,7 @@ $msg = '';
 $error = '';
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_index.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_index.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/nav.php b/interface/web/nav.php
index 68ceb898beafb15248fa6232b149f1236c8417ee..1091276b86153638719e3c248bb10dfca91d85ff 100644
--- a/interface/web/nav.php
+++ b/interface/web/nav.php
@@ -75,7 +75,7 @@ if(isset($_GET['nav']) && $_GET['nav'] == 'top') {
 					}
 
 					include_once $mt.'/lib/module.conf.php';
-					$language = (isset($_SESSION['s']['user']['language']))?$_SESSION['s']['user']['language']:$conf['language'];
+					$language = $app->functions->check_language((isset($_SESSION['s']['user']['language']))?$_SESSION['s']['user']['language']:$conf['language']);
 					$app->load_language_file('web/'.$mt.'/lib/'.$language.'.lng');
 					$active = ($module['name'] == $_SESSION['s']['module']['name']) ? 1 : 0;
 					$topnav[$module['order'].'-'.$module['name']] = array( 'title'  => $app->lng($module['title']),
diff --git a/interface/web/sites/aps_install_package.php b/interface/web/sites/aps_install_package.php
index 19ab785c957d5df02db5f7ceb0275832fe524c84..4739e25b8a69798e2d253a059e10a12f0e2652c3 100644
--- a/interface/web/sites/aps_install_package.php
+++ b/interface/web/sites/aps_install_package.php
@@ -42,7 +42,7 @@ $app->tpl->newTemplate("form.tpl.htm");
 $app->tpl->setInclude('content_tpl', 'templates/aps_install_package.htm');
 
 // Load the language file
-$lngfile = 'lib/lang/'.$_SESSION['s']['language'].'_aps.lng';
+$lngfile = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_aps.lng';
 require_once $lngfile;
 $app->tpl->setVar($wb);
 $app->load_language_file('web/sites/'.$lngfile);
diff --git a/interface/web/sites/aps_packagedetails_show.php b/interface/web/sites/aps_packagedetails_show.php
index 1723ffbff207708acaf10077502f690dddc7c14e..d0503bf9f03faea2f1226cb2c7f5273d90427b1c 100644
--- a/interface/web/sites/aps_packagedetails_show.php
+++ b/interface/web/sites/aps_packagedetails_show.php
@@ -42,7 +42,7 @@ $app->tpl->newTemplate("listpage.tpl.htm");
 $app->tpl->setInclude('content_tpl', 'templates/aps_packagedetails_show.htm');
 
 // Load the language file
-$lngfile = 'lib/lang/'.$_SESSION['s']['language'].'_aps.lng';
+$lngfile = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_aps.lng';
 require_once $lngfile;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/sites/aps_update_packagelist.php b/interface/web/sites/aps_update_packagelist.php
index a1278d0ebe318fdb0b9ed5e836f62ad14ec79bd6..821da77bb9558f45ee545eb7b8219d5450824187 100644
--- a/interface/web/sites/aps_update_packagelist.php
+++ b/interface/web/sites/aps_update_packagelist.php
@@ -41,7 +41,7 @@ $msg = '';
 $error = '';
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_aps_update_packagelist.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_aps_update_packagelist.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/tools/import_ispconfig.php b/interface/web/tools/import_ispconfig.php
index 4012802bc78065c133a76427e451cd5b99f3318a..e2b8bad6479d43aeced846ebf2669da516276054 100644
--- a/interface/web/tools/import_ispconfig.php
+++ b/interface/web/tools/import_ispconfig.php
@@ -44,7 +44,7 @@ $msg = '';
 $error = '';
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_import_ispconfig.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_import_ispconfig.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/tools/import_vpopmail.php b/interface/web/tools/import_vpopmail.php
index 3ef87710e593cb37c6980e5cfa4e16c54052dc3d..0209c80e28d6dc43aff100acfaa0ac2d9d555f89 100644
--- a/interface/web/tools/import_vpopmail.php
+++ b/interface/web/tools/import_vpopmail.php
@@ -46,7 +46,7 @@ $msg = '';
 $error = '';
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_import_vpopmail.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_import_vpopmail.lng';
 include $lng_file;
 $app->tpl->setVar($wb);
 
diff --git a/interface/web/tools/index.php b/interface/web/tools/index.php
index 05c7f71fbafee1d68e017102693f9738b59b8824..0e223b98a457789172c947c8d545eaa38edd460c 100644
--- a/interface/web/tools/index.php
+++ b/interface/web/tools/index.php
@@ -41,7 +41,7 @@ $app->uses('tpl');
 $app->tpl->newTemplate('listpage.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/index.htm');
 
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_index.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_index.lng';
 include $lng_file;
 
 $app->tpl->setVar($wb);
diff --git a/interface/web/tools/tpl_default.php b/interface/web/tools/tpl_default.php
index dacbeae9b271966565af0a4904ac4d59f740ad51..b4ac189daaec04d4dc3674af9f63611eabecf9f3 100644
--- a/interface/web/tools/tpl_default.php
+++ b/interface/web/tools/tpl_default.php
@@ -41,7 +41,7 @@ $app->uses('tpl');
 $app->tpl->newTemplate('listpage.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/tpl_default.htm');
 
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_tpl_default.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_tpl_default.lng';
 include $lng_file;
 
 $app->tpl->setVar($wb);
diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php
index ccf86adda98f9f6696696de24ec700de1fdf25a5..5c3876fb864d8036338dda594437adcf0208d765 100644
--- a/interface/web/tools/user_settings.php
+++ b/interface/web/tools/user_settings.php
@@ -86,12 +86,10 @@ class page_action extends tform_actions {
 		if($_POST['passwort'] != $_POST['repeat_password']) {
 			$app->tform->errorMessage = $app->tform->lng('password_mismatch');
 		}
-		if(preg_match('/[a-z]{2}/',$_POST['language'])) {
-			$_SESSION['s']['user']['language'] = $_POST['language'];
-			$_SESSION['s']['language'] = $_POST['language'];
-		} else {
-			$app->error('Invalid language.');
-		}
+		
+		$language = $app->functions->check_language($_POST['language']);
+		$_SESSION['s']['user']['language'] = $language;
+		$_SESSION['s']['language'] = $language;
 	}
 	
 	function onAfterUpdate() {
diff --git a/interface/web/vm/openvz_action.php b/interface/web/vm/openvz_action.php
index 4b429eb44d5cdd889a0f79f5b564e53eb89deb1a..c0bedf19be0ba9ff218f895c0cbd722c963beb62 100644
--- a/interface/web/vm/openvz_action.php
+++ b/interface/web/vm/openvz_action.php
@@ -32,7 +32,7 @@ $app->tpl->newTemplate('form.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/openvz_action.htm');
 
 //* load language file
-$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_openvz_action.lng';
+$lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_openvz_action.lng';
 include_once $lng_file;
 $app->tpl->setVar($wb);