diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 16082c203c..f2f6f56698 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -209,6 +209,7 @@ p a {
 		<li>[Change] Reset the start parameter when the timeframe is changed in the mcp topic page (Ticket #14438)</li>
 		<li>[Change] Added Code for cleaning the confirm table to the session garbage collection</li>
 		<li>[Fix] Fixed token handling in jabber class for extremely spec-compilant XMPP server (Bug #14445)</li>
+		<li>[Fix] Disallowed galleries from using special characters (Bug #14466)</li>
 	</ul>
 
 	</div>
diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php
index fed783e880..86113899c7 100644
--- a/phpBB/includes/functions_user.php
+++ b/phpBB/includes/functions_user.php
@@ -1975,14 +1975,14 @@ function avatar_gallery($category, $avatar_select, $items_per_column, $block_var
 
 		while (($file = readdir($dp)) !== false)
 		{
-			if ($file[0] != '.' && is_dir("$path/$file"))
+			if ($file[0] != '.' && preg_match('#^[^&"\'<>]+$#i', $file) && is_dir("$path/$file"))
 			{
 				$avatar_row_count = $avatar_col_count = 0;
 	
 				$dp2 = @opendir("$path/$file");
 				while (($sub_file = readdir($dp2)) !== false)
 				{
-					if (preg_match('#^[^&"<>]*\.(?:gif|png|jpe?g)$#i', $sub_file))
+					if (preg_match('#^[^&\'"<>]+\.(?:gif|png|jpe?g)$#i', $sub_file))
 					{
 						$avatar_list[$file][$avatar_row_count][$avatar_col_count] = array(
 							'file'		=> "$file/$sub_file",