diff --git a/lib/exe/css.php b/lib/exe/css.php
index 11ae2e828bb2cda204470d01df09a147efb8605f..0aa26de1313c3a8ae1a52f570ac5fac2586ba2b9 100644
--- a/lib/exe/css.php
+++ b/lib/exe/css.php
@@ -41,7 +41,7 @@ function css_out(){
         break;
     }
 
-    $tpl = trim(preg_replace('/[^\w]+/','',$_REQUEST['t']));
+    $tpl = trim(preg_replace('/[^\w-]+/','',$_REQUEST['t']));
     if($tpl){
         $tplinc = DOKU_INC.'lib/tpl/'.$tpl.'/';
         $tpldir = DOKU_BASE.'lib/tpl/'.$tpl.'/';
diff --git a/lib/plugins/config/settings/config.class.php b/lib/plugins/config/settings/config.class.php
index 71e69b4c80258bd10e4892960518f124a51ac9fb..4b77d70655442bc45dce57498216017e1711c3a1 100644
--- a/lib/plugins/config/settings/config.class.php
+++ b/lib/plugins/config/settings/config.class.php
@@ -628,6 +628,7 @@ if (!class_exists('setting_dirchoice')) {
       if ($dh = @opendir($this->_dir)) {
         while (false !== ($entry = readdir($dh))) {
           if ($entry == '.' || $entry == '..') continue;
+          if ($this->_pattern && !preg_match($this->_pattern,$entry)) continue;
 
           $file = (is_link($this->_dir.$entry)) ? readlink($this->_dir.$entry) : $entry;
           if (is_dir($this->_dir.$file)) $list[] = $entry;
diff --git a/lib/plugins/config/settings/config.metadata.php b/lib/plugins/config/settings/config.metadata.php
index 52db12a5ecf8d99c1b0494a3115cc5930c8bf1c0..55ddb1e5522cdfef90df9f29ac604108d7c420a9 100644
--- a/lib/plugins/config/settings/config.metadata.php
+++ b/lib/plugins/config/settings/config.metadata.php
@@ -22,7 +22,8 @@
  *   'email'        - text input, input must conform to email address format, setting output in quotes
  *   'password'     - password input, minimal input validation, setting output plain text in quotes
  *   'dirchoice'    - as multichoice, selection choices based on folders found at location specified in _dir
- *                    parameter (required)
+ *                    parameter (required). A pattern can be used to restrict the folders to only those which
+ *                    match the pattern.
  *   'multicheckbox'- a checkbox for each choice plus an "other" string input, config file setting is a comma
  *                    separated list of checked choices
  *   'fieldset'     - used to group configuration settings, but is not itself a setting. To make this clear in
@@ -41,7 +42,7 @@
  *
  * Defined parameters:
  *   '_pattern'    - string, a preg pattern. input is tested against this pattern before being accepted
- *                   optional all classes, except onoff, multichoice & dirchoice which ignore it
+ *                   optional all classes, except onoff & multichoice which ignore it
  *   '_choices'    - array of choices. used to populate a selection box. choice will be replaced by a localised
  *                   language string, indexed by  <setting name>_o_<choice>, if one exists
  *                   required by 'multichoice' & 'multicheckbox' classes, ignored by others
@@ -80,7 +81,7 @@ $meta['_basic']   = array('fieldset');
 $meta['title']    = array('string');
 $meta['start']    = array('string');
 $meta['lang']     = array('dirchoice','_dir' => DOKU_INC.'inc/lang/');
-$meta['template'] = array('dirchoice','_dir' => DOKU_INC.'lib/tpl/');
+$meta['template'] = array('dirchoice','_dir' => DOKU_INC.'lib/tpl/','_pattern' => '/^[\w-]+$/');
 $meta['savedir']  = array('savedir');
 $meta['basedir']  = array('string');
 $meta['baseurl']  = array('string');