sub _get_filepath ($;$) {
my $referer = shift;
$referer =~ /koha\/(.*)\.pl/;
- my $from = "help/$1.tt";
+ my $file = $1;
+ $file =~ s/[^0-9a-zA-Z_\-\/]*//g;
+ my $from = "help/$file.tt";
my $htdocs = C4::Context->config('intrahtdocs');
my ($theme, $lang, $availablethemes) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $input );
$debug and print STDERR "help filepath: $htdocs/$theme/$lang/modules/$from";