More secure skin param check (#1346)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm

@@ -421,14 +421,20 @@ sub getSkin {
 
     # Check skin GET/POST parameter
     my $skinParam = $req->param('skin');
-    if ( defined $skinParam and !$self->checkXSSAttack( 'skin', $skinParam ) ) {
+    if ( defined $skinParam ) {
-        if ( -d $self->conf->{templateDir} . '/' . $skinParam ) {
+        if ( $skinParam =~ /^[\w\-]$/ ) {
-            $skin = $skinParam;
+            if ( -d $self->conf->{templateDir} . '/' . $skinParam ) {
-            $self->logger->debug("Skin $skin selected from GET/POST parameter");
+                $skin = $skinParam;
+                $self->logger->debug(
+                    "Skin $skin selected from GET/POST parameter");
+            }
+            else {
+                $self->userLogger->error(
+                    "User tries to access to unexistent skin dir $skinParam");
+            }
         }
         else {
-            $self->userLogger->error(
+            $self->userLogger->error("Strange skin parameter: $skinParam");
-                "User tries to access to unexistent skin dir $skinParam");
         }
     }