diff --git a/src/_h5ai/server/php/inc/Archive.php b/src/_h5ai/server/php/inc/Archive.php
index 16829753..d441884b 100644
--- a/src/_h5ai/server/php/inc/Archive.php
+++ b/src/_h5ai/server/php/inc/Archive.php
@@ -44,9 +44,9 @@ class Archive {
 
 	private function shell_cmd($cmd) {
 
-		$cmd = str_replace("[ROOTDIR]", "\"" . $this->app->get_abs_path() . "\"", $cmd);
-		$cmd = str_replace("[DIRS]", count($this->dirs) ? "\"" . implode("\"  \"", array_values($this->dirs)) . "\"" : "", $cmd);
-		$cmd = str_replace("[FILES]", count($this->files) ? "\"" . implode("\"  \"", array_values($this->files)) . "\"" : "", $cmd);
+		$cmd = str_replace("[ROOTDIR]", escapeshellarg($this->app->get_abs_path()), $cmd);
+		$cmd = str_replace("[DIRS]", count($this->dirs) ? implode(" ", array_map("escapeshellarg", $this->dirs)) : "", $cmd);
+		$cmd = str_replace("[FILES]", count($this->files) ? implode(" ", array_map("escapeshellarg", $this->files)) : "", $cmd);
 		try {
 			passthru($cmd);
 		} catch (Exeption $err) {
diff --git a/src/_h5ai/server/php/inc/Item.php b/src/_h5ai/server/php/inc/Item.php
index 1a5c6135..2da5bffa 100644
--- a/src/_h5ai/server/php/inc/Item.php
+++ b/src/_h5ai/server/php/inc/Item.php
@@ -2,7 +2,7 @@
 
 class Item {
 
-	private static $FOLDER_SIZE_CMD = "du -sk \"[DIR]\"";
+	private static $FOLDER_SIZE_CMD = "du -sk [DIR]";
 
 	public static function cmp($item1, $item2) {
 
@@ -57,7 +57,7 @@ class Item {
 			$this->size = null;
 			$options = $app->get_options();
 			if ($options["foldersize"]["enabled"]) {
-				$cmd = str_replace("[DIR]", $this->abs_path, Item::$FOLDER_SIZE_CMD);
+				$cmd = str_replace("[DIR]", escapeshellarg($this->abs_path), Item::$FOLDER_SIZE_CMD);
 				$this->size = intval(preg_replace("/\s.*$/", "", `$cmd`), 10) * 1024;
 			}
 		} else {