diff --git a/include/staff/directory.inc.php b/include/staff/directory.inc.php
index 9eb4926dd6825ace920ad39536e8521ae422102f..a604acc184eccf823766b96646f932eed72d5375 100644
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -5,6 +5,10 @@ $qs = array();
 $agents = Staff::objects()
     ->select_related('dept');
 
+// Sanitize 'order' param To Escape XSS
+if ($_REQUEST['order'])
+    $_REQUEST['order'] = Format::sanitize($_REQUEST['order']);
+
 if($_REQUEST['q']) {
     $searchTerm=$_REQUEST['q'];
     if($searchTerm){