Need help fixxing This

[Joco]

Can someone help fix this so that its not able to be attacked by by XSS attacks My site got hacked using this a few months but I'd like to still use this or something like this that works the same so I dont get hacked.

 

<?php 
if (!isset($_GET["link"])) include 'main.php';
else if(is_file($_GET["link"] . ".php") && $_GET["link"] !="index" ) include htmlspecialchars($_GET["link"] . ".php");
else include 'error.php';
?>