use C4::Output;
use C4::Templates;
use C4::Auth;
-use CGI;
+use CGI qw ( -utf8 );
use warnings;
use vars qw($debug);
sub _get_filepath ($;$) {
my $referer = shift;
$referer =~ /koha\/(.*)\.pl/;
- my $from = "help/$1.tt";
+ my $file = $1;
+ $file =~ s/[^0-9a-zA-Z_\-\/]*//g;
+ my $from = "help/$file.tt";
my $htdocs = C4::Context->config('intrahtdocs');
my ($theme, $lang, $availablethemes) = C4::Templates::themelanguage( $htdocs, $from, "intranet", $input );
$debug and print STDERR "help filepath: $htdocs/$theme/$lang/modules/$from";