diff --git a/htdocs/ecm/file_note.php b/htdocs/ecm/file_note.php
index dba96710f60..d2f3f7b4792 100644
--- a/htdocs/ecm/file_note.php
+++ b/htdocs/ecm/file_note.php
@@ -73,7 +73,7 @@ if (!$section) {
 	dol_print_error('', 'Error, section parameter missing');
 	exit;
 }
-$urlfile = GETPOST("urlfile");
+$urlfile = (string) dol_sanitizePathName(GETPOST("urlfile"));
 if (!$urlfile) {
 	dol_print_error('', "ErrorParamNotDefined");
 	exit;