diff --git a/code/model/editableformfields/EditableFileField.php b/code/model/editableformfields/EditableFileField.php
index 2a26b47..84695ad 100755
--- a/code/model/editableformfields/EditableFileField.php
+++ b/code/model/editableformfields/EditableFileField.php
@@ -16,6 +16,15 @@ class EditableFileField extends EditableFormField {
 		'Folder' => 'Folder' // From CustomFields
 	);
 
+	/**
+	 * Further limit uploadable file extensions in addition to the restrictions
+	 * imposed by the File.allowed_extensions global configuration.
+	 * @config
+	 */
+	private static $allowed_extensions_blacklist = array(
+		'htm', 'html', 'xhtml', 'swf', 'xml'
+	);
+
 	/**
 	 * @return FieldList
 	 */
@@ -44,9 +53,12 @@ class EditableFileField extends EditableFormField {
 			->setFieldHolderTemplate('UserFormsField_holder')
 			->setTemplate('UserFormsFileField');
 
-		// filter out '' since this would be a regex problem on JS end
 		$field->getValidator()->setAllowedExtensions(
-			array_filter(Config::inst()->get('File', 'allowed_extensions'))
+			array_diff(
+				// filter out '' since this would be a regex problem on JS end
+				array_filter(Config::inst()->get('File', 'allowed_extensions')),
+				$this->config()->allowed_extensions_blacklist
+			)
 		);
 
 		$folder = $this->Folder();
diff --git a/docs/en/installation.md b/docs/en/installation.md
index 7401eae..d283410 100644
--- a/docs/en/installation.md
+++ b/docs/en/installation.md
@@ -29,6 +29,9 @@ to any configured recipients.
 
 Allowed file extensions can be configured globally through `File.allowed_extensions`,
 and default to a safe set of files (e.g. disallowing `*.php` uploads).
+You can define further exclusions through the `EditableFileField.allowed_extensions_blacklist`
+configuration setting.
+
 The allowed upload size is determined by PHP configuration
 for this website (the smaller value of `upload_max_filesize` or `post_max_size`).
 
diff --git a/tests/EditableFormFieldTest.php b/tests/EditableFormFieldTest.php
index 5b77e9b..9806e19 100644
--- a/tests/EditableFormFieldTest.php
+++ b/tests/EditableFormFieldTest.php
@@ -102,4 +102,12 @@ class EditableFormFieldTest extends FunctionalTest {
 		$this->assertNotContains('notallowedextension', $formField->getValidator()->getAllowedExtensions());
 	}
 
+	public function testFileFieldAllowedExtensionsBlacklist() {
+		Config::inst()->update('EditableFileField', 'allowed_extensions_blacklist', array('jpg'));
+		$fileField = $this->objFromFixture('EditableFileField', 'file-field');
+		$formField = $fileField->getFormField();
+
+		$this->assertNotContains('jpg', $formField->getValidator()->getAllowedExtensions());
+	}
+
 }