diff --git a/build/wiki-command-replacer.sh b/build/wiki-command-replacer.sh
index 048ba0e..47770d6 100755
--- a/build/wiki-command-replacer.sh
+++ b/build/wiki-command-replacer.sh
@@ -6,6 +6,40 @@ cd "$(dirname "$0")/.."
 
 MARKER_START='{{COMMAND-OUTPUT "'
 MARKER_END='"}}'
+ALLOWED_COMMANDS=("phpcs" "phpcbf")
+
+tokenize_command() {
+  read -ra TOKENS <<< "$1"
+}
+
+check_allowed_commands() {
+  local cmd="${TOKENS[0]}"
+  for allowed in "${ALLOWED_COMMANDS[@]}"; do
+    [[ "${cmd}" == "${allowed}" ]] && return 0
+  done
+
+  echo >&2 "  ERROR: refusing to run arbitrary command: ${cmd}"
+  exit 1
+}
+
+validate_tokens() {
+  for token in "${TOKENS[@]}"; do
+    if [[ "${token}" =~ [\;\|\&\$\<\>\`\\] ]]; then
+      echo >&2 "  ERROR: refusing unsafe token: ${token}"
+      exit 1
+    fi
+  done
+}
+
+execute_command() {
+  tokenize_command "$1"
+  check_allowed_commands
+  validate_tokens
+
+  EXECUTABLE_COMMAND=("${TOKENS[0]}" "${TOKENS[@]:1}")
+  echo >&2 "  INFO: running: " "${EXECUTABLE_COMMAND[@]}"
+  "${EXECUTABLE_COMMAND[@]}" </dev/null || true
+}
 
 if [[ -z "${CI:-}" ]]; then
   # The `_wiki` directory is created in a previous GitHub Action step.
@@ -19,20 +53,10 @@ grep -lrF "${MARKER_START}" _wiki | while read -r file_to_process; do
 
   while IFS=$'\n' read -r line; do
     if [[ ${line} = ${MARKER_START}*${MARKER_END} ]]; then
-      COMMAND="${line##"${MARKER_START}"}"
-      COMMAND="${COMMAND%%"${MARKER_END}"}"
-
-      if [[ "${COMMAND}" != "phpcs "* ]] && [[ "${COMMAND}" != "phpcbf "* ]]; then
-        echo >&2 "  ERROR: refusing to run arbitrary command: ${COMMAND}"
-        exit 1
-      fi
-
-      #FIXME refuse to run commands with a semicolon / pipe / ampersand / sub-shell
+      USER_COMMAND="${line##"${MARKER_START}"}"
+      USER_COMMAND="${USER_COMMAND%%"${MARKER_END}"}"
 
-      echo >&2 "  INFO: running: ${COMMAND}"
-      (
-        eval "${COMMAND}" </dev/null || true
-      )
+      execute_command "${USER_COMMAND}"
     else
       echo "${line}"
     fi