diff --git a/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs b/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs
index 605100963..a574298e4 100644
--- a/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs
+++ b/BlogEngine/BlogEngine.Core/Data/UsersRepository.cs
@@ -98,6 +98,9 @@ public BlogUser Add(BlogUser user)
             if (!Security.IsAuthorizedTo(Rights.CreateNewUsers))
                 throw new UnauthorizedAccessException();
 
+            if (user.UserName.Contains("/") || user.UserName.Contains(@"\"))
+                throw new ApplicationException("Error adding new user; Invalid character detected in UserName");
+
             // create user
             var usr = Membership.CreateUser(user.UserName, user.Password, user.Email);
             if (usr == null)
diff --git a/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs b/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs
index e45cb6c03..0c6b263ed 100644
--- a/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs
+++ b/BlogEngine/BlogEngine.Core/Providers/FileSystemProviders/XmlFileSystemProvider.cs
@@ -28,7 +28,7 @@ private static string BlogAbsolutePath(string VirtualPath)
         private static string RelativeFilePath(string VirtualPath)
         {
             VirtualPath = VirtualPath.Replace("//","/").Trim();
-            if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()))
+            if (VirtualPath.ToLower().Contains(FileContainerRoot.ToLower()+"/") || VirtualPath.ToLower() == FileContainerRoot.ToLower())
                 return VirtualPath;
 
             // ex: Oct 18 2012, added this to handle the case on the File Manager where if
diff --git a/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs b/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs
index ad6b01192..688ada454 100644
--- a/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs
+++ b/BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs
@@ -64,6 +64,8 @@ public HttpResponseMessage Post(string action, string dirPath = "")
                     dir = BlogService.GetDirectory("/avatars");
                     var dot = fileName.LastIndexOf(".");
                     var ext = dot > 0 ? fileName.Substring(dot) : "";
+                    if (User.Identity.Name.Contains("/") || User.Identity.Name.Contains(@"\"))
+                        throw new ApplicationException("Invalid character detected in UserName");
                     var profileFileName = User.Identity.Name + ext;
 
                     var imgPath = HttpContext.Current.Server.MapPath(dir.FullPath + "/" + profileFileName);
@@ -157,4 +159,4 @@ private void UploadVideo(string virtualFolder, HttpPostedFile file, string fileN
     }
 
     #endregion
-}
\ No newline at end of file
+}