From 00e9a9a5091afb00970e78acbe29ccac16dcb604 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 6 Oct 2020 17:10:00 +0200
Subject: [PATCH] Sanitize color

---
 htdocs/categories/edit.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/htdocs/categories/edit.php b/htdocs/categories/edit.php
index 53a343046b7..7c8c683bf18 100644
--- a/htdocs/categories/edit.php
+++ b/htdocs/categories/edit.php
@@ -33,16 +33,16 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
 $langs->load("categories");
 
 $id = GETPOST('id', 'int');
-$ref = GETPOST('ref');
-$type = GETPOST('type');
+$ref = GETPOST('ref', 'alphanohtml');
+$type = GETPOST('type', 'alphanohtml');
 $action = (GETPOST('action', 'aZ09') ?GETPOST('action', 'aZ09') : 'edit');
 $confirm = GETPOST('confirm');
 $cancel = GETPOST('cancel', 'alpha');
 
 $socid = GETPOST('socid', 'int');
-$label = GETPOST('label');
-$description = GETPOST('description');
-$color = GETPOST('color', 'alpha');
+$label = GETPOST('label', 'alphanohtml');
+$description = GETPOST('description', 'restricthtml');
+$color = preg_replace('/[^0-9a-f#]/i', '', GETPOST('color', 'alphanohtml'));
 $visible = GETPOST('visible');
 $parent = GETPOST('parent');