diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php
index c34d49fc7ca..9cc470a5954 100644
--- a/htdocs/website/class/website.class.php
+++ b/htdocs/website/class/website.class.php
@@ -1157,7 +1157,7 @@ class Website extends CommonObject
 	/**
 	 * Open a zip with all data of web site and load it into database.
 	 *
-	 * @param 	string		$pathtofile		Path of zip file
+	 * @param 	string		$pathtofile		Full path of zip file
 	 * @return  int							<0 if KO, Id of new website if OK
 	 */
 	public function importWebSite($pathtofile)
@@ -1166,6 +1166,8 @@ class Website extends CommonObject
 
 		$error = 0;
 
+		$pathtofile = dol_sanitizePathName($pathtofile);
+
 		$object = $this;
 		if (empty($object->ref)) {
 			$this->error = 'Function importWebSite called on object not loaded (object->ref is empty)';
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index 3593ddbcd95..a8dc2a716b3 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -2420,14 +2420,17 @@ if ($action == 'importsiteconfirm' && $usercanedit) {
 
 				$fileofzip = '';
 				if (GETPOSTISSET('templateuserfile')) {
-					$fileofzip = DOL_DATA_ROOT.'/doctemplates/websites/'.GETPOST('templateuserfile', 'alpha');
+					// Case we selected one template
+					$fileofzip = DOL_DATA_ROOT.'/doctemplates/websites/'.GETPOST('templateuserfile', 'alpha');	// $fileofzip will be sanitized later into the importWebSite()
 				} elseif (!empty($_FILES)) {
+					// Case we upload a new template
 					if (is_array($_FILES['userfile']['tmp_name'])) {
 						$userfiles = $_FILES['userfile']['tmp_name'];
 					} else {
 						$userfiles = array($_FILES['userfile']['tmp_name']);
 					}
 
+					// Check if $_FILES is ok
 					foreach ($userfiles as $key => $userfile) {
 						if (empty($_FILES['userfile']['tmp_name'][$key])) {
 							$error++;
@@ -2442,20 +2445,25 @@ if ($action == 'importsiteconfirm' && $usercanedit) {
 					}
 
 					if (!$error) {
-						$upload_dir = $conf->website->dir_temp;
+						//$upload_dir = $conf->website->dir_temp;
+						$upload_dir = DOL_DATA_ROOT.'/doctemplates/websites/';
 						$result = dol_add_file_process($upload_dir, 1, -1, 'userfile', '');
 					}
 
 					// Get name of file (take last one if several name provided)
+					/*
 					$fileofzip = $upload_dir.'/unknown';
 					foreach ($_FILES as $key => $ifile) {
 						foreach ($ifile['name'] as $key2 => $ifile2) {
 							$fileofzip = $upload_dir.'/'.$ifile2;
 						}
 					}
+					*/
+
+					$action = 'importsite';
 				}
 
-				if (!$error) {
+				if (!$error && GETPOSTISSET('templateuserfile')) {
 					$result = $object->importWebSite($fileofzip);
 
 					if ($result < 0) {