Obtained from: Debian
--- include/setup.php.orig	2011-06-27 09:12:51 UTC
+++ include/setup.php
@@ -467,7 +467,7 @@ $vars['indexurl'] = $config->getURL('', 
 $vars['validationurl'] = getFullURL($_SERVER['SCRIPT_NAME']).'?'.buildQuery($queryParams + array('template' => $template, 'language' => $language), '%26');
 
 // To avoid a possible XSS exploit, need to clean up the passed-in path first
-$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : null;
+$path = !empty($_REQUEST['path']) ? escape($_REQUEST['path']) : null;
 if ($path === null || $path === '')
 	$path = '/';
 $vars['safepath'] = escape($path);
