Don't worry about generating the menu. The sanitizing of the input there doesn't really matter as you aren't loading scripts/resources based on the query string.
The use of basename() in line 20 of your index page prevents directory traversal. It still would allow for other php to be called though even though you may not want them to be. I'd put all your content pages in a subdirectory (e.g. "pages") and only have content pages there. So change line 20 to
$page = "pages\".basename($page);