diff --git a/cryptobox.conf.d/usr/lib/cryptobox/devel-features.sh b/cryptobox.conf.d/usr/lib/cryptobox/devel-features.sh
index a268a89..ec143e3 100755
--- a/cryptobox.conf.d/usr/lib/cryptobox/devel-features.sh
+++ b/cryptobox.conf.d/usr/lib/cryptobox/devel-features.sh
@@ -47,7 +47,9 @@ case "$ACTION" in
 		cd "`dirname \"$MIRROR_ORIG_DIR\"`" 
 		# diff and remove "binary files differ"-warnings (vi-swap-files)
 		# ignore generated reports
-		diff -ruN --exclude=report "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
+		# ignore cryptobox.pl and index.html, as those are the same as
+		# /var/www/cryptobox (symbilic links)
+		diff -ruN --exclude=report --exclude=cryptobox.pl --exclude=index.html "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
 		;;
 	stop )
 		/etc/init.d/ssh stop
diff --git a/cryptobox.conf.d/usr/share/cryptobox/lang/de.hdf b/cryptobox.conf.d/usr/share/cryptobox/lang/de.hdf
index 02498a6..fcb2d53 100644
--- a/cryptobox.conf.d/usr/share/cryptobox/lang/de.hdf
+++ b/cryptobox.conf.d/usr/share/cryptobox/lang/de.hdf
@@ -89,6 +89,21 @@ Lang {
     	Title = Konfiguration gefunden
 	Text  = Die CryptoBox wurde bereits eingerichtet. Bei einer erneuten Initialisierung werden alle Daten gel&ouml;scht!
 	}
+
+    InvalidLanguage {
+    	Title = Ung&uuml;ltige Sprache
+	Text  = Die ausgew&auml;hlte Sprache ist nicht verf&uuml;gbar!
+	}
+
+    InvalidIP {
+    	Title = Ung&uuml;ltige IP
+	Text  = Die ausgew&auml;hlte Netzwerkadresse ist nicht g&uuml;ltig!
+	}
+
+    InvalidTimeOut {
+    	Title = Ung&uuml;ltige Zeitabschaltung
+	Text  = Der ausgew&auml;hlte Wert der Zeitabschaltung ist nicht g&uuml;ltig!
+	}
     }
 
 
diff --git a/cryptobox.conf.d/var/www/cgi-bin/cryptobox.pl b/cryptobox.conf.d/var/www/cgi-bin/cryptobox.pl
index 2e92154..bc4e0f5 100755
--- a/cryptobox.conf.d/var/www/cgi-bin/cryptobox.pl
+++ b/cryptobox.conf.d/var/www/cgi-bin/cryptobox.pl
@@ -201,6 +201,38 @@ sub system_reboot()
 }
 
 
+sub validate_ip()
+{
+	my $ip = shift;
+	my @octets = split /\./, $ip;
+	return 0 if ($#octets == 4);
+	# check for values and non-digits
+	return 0 if ((@octets[0] <= 0) || (@octets[0] >= 255) || (@octets[0] =~ /\D/));
+	return 0 if ((@octets[1] < 0) || (@octets[1] >= 255) || (@octets[1] =~ /\D/));
+	return 0 if ((@octets[2] < 0) || (@octets[2] >= 255) || (@octets[2] =~ /\D/));
+	return 0 if ((@octets[3] <= 0) || (@octets[3] >= 255) || (@octets[3] =~ /\D/));
+	return 1;
+}
+
+
+sub validate_timeout()
+{
+	my $timeout = shift;
+	return 0 if ($timeout =~ /\D/);
+	return 1;
+}
+
+
+sub validate_language()
+{
+	my $language = shift;
+	# check for non-alphanumeric character
+	return 0 if ($language = ~/\W/);
+	return 0 if ( ! -e "$LANGUAGE_DIR/$language" . '.hdf');
+	return 1;
+}
+
+
 ################### main #########################
 
 my $query = new CGI;
@@ -336,18 +368,15 @@ if ( ! &check_ssl()) {
 	    $pagedata->setValue('Data.Action', 'config_form');
 	}
     #################### set_lang ########################
+    # this action is called by the language links in the upper left of the web interface
     } elsif ($action eq 'set_lang') {
-	# TODO: check for invalid file names (containing "../../.." and so on)
 	# TODO: ugly problem: can't save the setting, as long as the box is unconfigured
 	my $language = $query->param('language');
-	my $lang_file = "$LANGUAGE_DIR/$language" . ".hdf";
-	if (-e "$lang_file") {
+	if (&validate_language($language)) {
 		system("$CB_SCRIPT", "set_config", "language", "$language");
 		&load_language_data($pagedata, $language);
 	} else {
-		# warning for user is not necessary, as this wrong value
-		# has surely been injected
-		warn ("Could not find language file ($lang_file)!");
+	    $pagedata->setValue('Data.Warning', 'InvalidLanguage');
 	}
 	$pagedata->setValue('Data.Action', 'intro');
     #################### config_do #######################
@@ -356,13 +385,23 @@ if ( ! &check_ssl()) {
 	    $pagedata->setValue('Data.Warning', 'NotConfigured');
 	    $pagedata->setValue('Data.Action', 'init_form');
 	} else {
-	    # TODO: parse for valid values
-	    system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
-	    system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
-	    system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
-	    # TODO: check for success by comparing with new config and report success
-	    $pagedata->setValue('Data.Success', 'ConfigSaved');
-	    $pagedata->setValue('Data.Action', 'intro');
+	    if ( ! &validate_language()) {
+		$pagedata->setValue('Data.Warning', 'InvalidLanguage');
+		$pagedata->setValue('Data.Action', 'config_ask');
+	    } elsif ( ! &validate_ip()) {
+		$pagedata->setValue('Data.Warning', 'InvalidIP');
+		$pagedata->setValue('Data.Action', 'config_ask');
+	    } elsif ( ! &validate_timeout()) {
+		$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
+		$pagedata->setValue('Data.Action', 'config_ask');
+	    } else {
+		system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
+		system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
+		system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
+		# TODO: check for success by comparing with new config and report success
+		$pagedata->setValue('Data.Success', 'ConfigSaved');
+		$pagedata->setValue('Data.Action', 'intro');
+	    }
 	}
     #################### show_log ########################
     } elsif ($action eq 'show_log') {
@@ -381,7 +420,7 @@ if ( ! &check_ssl()) {
 	$pagedata->setValue('Data.Action', 'shutdown_form');
     ##################### reboot ######################
     } elsif ($action eq 'shutdown_do') {
-	if ($type eq 'reboot') {
+	if ($query->param('type') eq 'reboot') {
 	    &system_reboot();
 	    $pagedata->setValue('Data.Success', 'ReBoot');
 	} else {