diff --git a/src/HydraFrontend/lib/HydraFrontend/Controller/Root.pm b/src/HydraFrontend/lib/HydraFrontend/Controller/Root.pm
index d446f438..4fff69be 100644
--- a/src/HydraFrontend/lib/HydraFrontend/Controller/Root.pm
+++ b/src/HydraFrontend/lib/HydraFrontend/Controller/Root.pm
@@ -11,6 +11,11 @@ use parent 'Catalyst::Controller';
 __PACKAGE__->config->{namespace} = '';
 
 
+# Security checking of filenames.
+my $pathCompRE = "(?:[A-Za-z0-9-\+][A-Za-z0-9-\+\._]*)";
+my $relPathRE = "(?:$pathCompRE(?:\/$pathCompRE)*)";
+
+
 sub begin :Private {
     my ( $self, $c ) = @_;
     $c->stash->{projects} = [$c->model('DB::Projects')->search({}, {order_by => 'displayname'})];
@@ -74,8 +79,9 @@ sub updateProject {
         my $jobsetName = $c->request->params->{"jobset-$baseName-name"};
         die "Invalid jobset name: $jobsetName" unless $jobsetName =~ /^[[:alpha:]]\w*$/;
 
+        # The Nix expression path must be relative and can't contain ".." elements.
         my $nixExprPath = $c->request->params->{"jobset-$baseName-nixexprpath"};
-        die "Invalid Nix expression path: $nixExprPath" unless $nixExprPath =~ /^\w++$/; # !!! stricter
+        die "Invalid Nix expression path: $nixExprPath" if $nixExprPath !~ /^$relPathRE$/;
 
         my $nixExprInput = $c->request->params->{"jobset-$baseName-nixexprinput"};
         die "Invalid Nix expression input name: $nixExprInput" unless $nixExprInput =~ /^\w+$/;
@@ -294,9 +300,7 @@ sub download :Local {
 
     # Security paranoia.
     foreach my $elem (@path) {
-        if ($elem eq "." || $elem eq ".." || $elem !~ /^[\w\-\.]+$/) {
-            return error($c, "Invalid filename $elem.");
-        }
+        return error($c, "Invalid filename $elem.") if $elem !~ /^$pathCompRE$/;
     }
     
     my $path = $product->path;
diff --git a/src/HydraFrontend/root/hydra.css b/src/HydraFrontend/root/hydra.css
index f6187731..23148282 100644
--- a/src/HydraFrontend/root/hydra.css
+++ b/src/HydraFrontend/root/hydra.css
@@ -16,12 +16,11 @@ h1 {
 
 h2 {
     font-size: 130%;
-    margin-top: 2em;
+    margin-top: 1em;
 }
 
 h3 {
     font-size: 100%;
-    margin-top: 1.5em;
 }
 
 table {
@@ -181,14 +180,30 @@ tr.runningJob {
     margin-left: 3em;
 }
 
-div.indent {
-    padding-left: 2em;
-}
-
 div.template {
     display: none;
 }
 
+div.jobset {
+    border: solid black 1px;
+    padding-left: 1em;
+    padding-right: 1em;
+    padding-bottom: 1em;
+    margin-bottom: 1em;
+}
+
+div.jobset-edit {
+    border: solid black 1px;
+    background-color: #f8f8f8;
+    padding-left: 1em;
+    padding-right: 1em;
+    margin-bottom: 1em;
+}
+
+div.jobset-edit h3, div.jobset h3 {
+    margin-top: 0.5em;
+}
+
 
 /* Sortable tables */
 
diff --git a/src/HydraFrontend/root/project.tt b/src/HydraFrontend/root/project.tt
index 143bea3a..6d71f163 100644
--- a/src/HydraFrontend/root/project.tt
+++ b/src/HydraFrontend/root/project.tt
@@ -13,12 +13,10 @@
 
 [% BLOCK renderJobset %]
 
-  <div class="jobset">
+  <div class="jobset[% IF edit %] jobset-edit[% END %]">
 
   <h3>[% IF jobset %]Jobset <tt>[% jobset.name %]</tt>[% ELSE %]New jobset[% END %]</h3>
 
-  <div class="indent">
-
   <h4>Information</h4>
 
   <table>
@@ -90,7 +88,6 @@
   [% END %]
 
   </div>
-  </div>
 
 [% END %]