diff --git a/voussoirkit/flasktools.py b/voussoirkit/flasktools.py
index c674466..e17d619 100644
--- a/voussoirkit/flasktools.py
+++ b/voussoirkit/flasktools.py
@@ -239,6 +239,8 @@ def give_theme_cookie(function, *, cookie_name, default_theme):
     def wrapped(*args, **kwargs):
         old_theme = request.cookies.get(cookie_name, None)
         new_theme = request.args.get('theme', None)
+        if new_theme is not None and any(badchar in new_theme for badchar in {'..', '/', '\\'}):
+            new_theme = None
         theme = new_theme or old_theme or default_theme
 
         # The original data structure for request.cookies is immutable and we