diff --git a/Changes b/Changes
index 71e74cf..c5159c4 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,9 @@
+3.3.1  - 21-Nov-2013
+====================
+- Fixed to correctly sanitize the input string in the built-in HTTP server
+  which led a number of security vulnerabilities. [#30]
+
+
 3.3.0  - 12-Aug-2013
 ====================
 - Added a complete statistical Wowza Media Server graph.
diff --git a/lib/HTTPServer.pm b/lib/HTTPServer.pm
index 5e27b95..031dba5 100644
--- a/lib/HTTPServer.pm
+++ b/lib/HTTPServer.pm
@@ -148,6 +148,7 @@ sub handle_request {
 	my $target;
 	my $target_cgi;
 	my @data;
+	my $OK_CHARS='-a-zA-Z0-9_./';	# a restrictive list of valid chars
 
 	return if fork();	# parent returns
 
@@ -192,8 +193,12 @@ sub handle_request {
 	}
 	($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/);
 
-	$target =~ s/^\///;		# removes leading slash
-	$target_cgi =~ s/^\///;		# removes leading slash
+	$target =~ s/^\/*//;		# removes leading slashes
+	$target_cgi =~ s/^\/*//;	# removes leading slashes
+
+	$target =~ s/[^$OK_CHARS]/_/go;		# only $OK_CHARS are allowed
+	$target_cgi =~ s/[^$OK_CHARS]/_/go;	# only $OK_CHARS are allowed
+
 	if($target_cgi eq "monitorix.cgi") {
 		chdir("cgi");
 		open(EXEC, "./$target_cgi |");