diff --git a/src/admin/makehtml_homepage.php b/src/admin/makehtml_homepage.php
index f2bc4015..31cbc7bf 100644
--- a/src/admin/makehtml_homepage.php
+++ b/src/admin/makehtml_homepage.php
@@ -12,6 +12,10 @@ require_once(dirname(__FILE__)."/config.php");
 CheckPurview('sys_MakeHtml');
 require_once(DEDEINC."/archive/partview.class.php");
 if (empty($dopost)) $dopost = '';
+if (!preg_match('#\.htm$#i', trim($templet))) {
+    ShowMsg("不是合法的模板文件，后缀必须为.htm", "javascript:;");
+    exit();
+}
 if ($dopost == "view") {
     $pv = new PartView();
     $templet = str_replace("{style}", $cfg_df_style, $templet);
@@ -60,6 +64,10 @@ if ($dopost == "view") {
     }
     $remotepos = empty($remotepos) ? '/index.html' : $remotepos;
     $serviterm = empty($serviterm) ? "" : $serviterm;
+    if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$#i', trim($position))) {
+        ShowMsg("您指定的文件名被系统禁止", "javascript:;");
+        exit();
+    }
     $homeFile = DEDEADMIN."/".$position;
     $homeFile = str_replace("\\", "/", $homeFile);
     $homeFile = str_replace("//", "/", $homeFile);