--- orig/include/setup.php	2016-02-19 16:02:05.674756241 +0100
+++ new/include/setup.php	2016-02-19 16:02:10.166832543 +0100
@@ -467,7 +467,7 @@
 $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
 
 // To avoid a possible XSS exploit, need to clean up the passed-in path first
-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
+$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
 if ($path === null || $path === '')
 	$path = '/';
 $vars['safepath'] = escape($path);