diff --git a/www/include/options/accessLists/groupsACL/groupsConfig.php b/www/include/options/accessLists/groupsACL/groupsConfig.php
index 0962a1ec3d7..efca74051f9 100644
--- a/www/include/options/accessLists/groupsACL/groupsConfig.php
+++ b/www/include/options/accessLists/groupsACL/groupsConfig.php
@@ -71,8 +71,14 @@ function sanitize_input_array(array $inputArray): array
 $acl_group_id = filter_var($_GET['acl_group_id'] ?? $_POST['acl_group_id'] ?? null, FILTER_VALIDATE_INT) ?? null;
 
 // Caution $o may already be set from the GET or from the POST.
-$postO = filter_var($_POST['o1'] ?? $_POST['o2'] ?? $o ?? null, FILTER_SANITIZE_STRING);
-$o = ("" !== $postO) ? $postO : null;
+$postO = filter_var(
+    $_POST['o1'] ?? $_POST['o2'] ?? $o ?? null,
+    FILTER_VALIDATE_REGEXP,
+    ["options" => ["regexp" => "/^(a|c|d|m|s|u|w)$/"]]
+);
+if ($postO !== false) {
+    $o = $postO;
+}
 
 switch ($o) {
     case "a":