diff --git a/dash/models/blocktext.php b/dash/models/blocktext.php
index 813ebbb..b8f69d9 100644
--- a/dash/models/blocktext.php
+++ b/dash/models/blocktext.php
@@ -30,6 +30,8 @@ class Blocktext extends Model {
         $block->content = str_replace("\r\n","\n",$content);
         $block->save();
 
+        Zira\Cache::clear();
+
         return array('message' => Zira\Locale::t('Successfully saved'));
     }
 }
\ No newline at end of file
diff --git a/dash/models/files.php b/dash/models/files.php
index a7b1079..d22b21c 100644
--- a/dash/models/files.php
+++ b/dash/models/files.php
@@ -522,8 +522,21 @@ class Files extends Model {
         if ($zip->open($path, \ZipArchive::CREATE)!==TRUE) {
             return array('error' => Zira\Locale::t('An error occurred'));
         }
-        $zip->extractTo(ROOT_DIR . DIRECTORY_SEPARATOR . $root);
+        $denied = false;
+        for ($i=0; $i<$zip->numFiles; $i++) {
+            $st = $zip->statIndex($i);
+            if ($st === false) continue;
+            $p = strrpos($st['name'], '.');
+            if ($p === false) continue;
+            $ext = substr($st['name'], $p+1);
+            if (strtolower($ext) == 'php') {
+                $denied = true;
+                break;
+            }
+        }
+        if (!$denied) $zip->extractTo(ROOT_DIR . DIRECTORY_SEPARATOR . $root);
         $zip->close();
+        if ($denied) return array('error'=>Zira\Locale::t('Permission denied'));
         return array('reload'=>$this->getJSClassName());
     }
     
diff --git a/htaccess.txt b/htaccess.txt
index 1307b65..1b07a69 100644
--- a/htaccess.txt
+++ b/htaccess.txt
@@ -51,3 +51,7 @@ ExpiresByType application/x-shockwave-flash "access 1 month"
 ExpiresByType image/x-icon "access 1 year"
 ExpiresDefault "access 1 month"
 </IfModule>
+
+<IfModule mod_headers.c>
+Header always append X-Frame-Options SAMEORIGIN
+</IfModule>