diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php
index 3ff54125b8e..49e5beaa19d 100644
--- a/htdocs/comm/action/card.php
+++ b/htdocs/comm/action/card.php
@@ -840,7 +840,7 @@ if ($action == 'create')
 	print '<input type="hidden" name="token" value="'.newToken().'">';
 	print '<input type="hidden" name="action" value="add">';
 	print '<input type="hidden" name="donotclearsession" value="1">';
-	if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
+	if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : htmlentities($_SERVER["HTTP_REFERER"])).'">';
 	if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print '<input type="hidden" name="actioncode" value="'.dol_getIdFromCode($db, 'AC_OTH', 'c_actioncomm').'">';
 
 	if (GETPOST("actioncode", 'aZ09') == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda');
@@ -1249,7 +1249,7 @@ if ($id > 0)
 		print '<input type="hidden" name="action" value="update">';
 		print '<input type="hidden" name="id" value="'.$id.'">';
 		print '<input type="hidden" name="ref_ext" value="'.$object->ref_ext.'">';
-		if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
+		if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : htmlentities($_SERVER["HTTP_REFERER"])).'">';
 		if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print '<input type="hidden" name="actioncode" value="'.$object->type_code.'">';
 
 		dol_fiche_head($head, 'card', $langs->trans("Action"), 0, 'action');
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 7368837fbac..d8f7dad8ac0 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -165,7 +165,6 @@ if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck))
     	if ($csrfattack)
     	{
     		//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
-
     		// Note: We can't use dol_escape_htmltag here to escape output because lib functions.lib.ph is not yet loaded.
     		print "Access refused by CSRF protection in main.inc.php. Referer of form (".htmlentities($_SERVER['HTTP_REFERER'], ENT_COMPAT, 'UTF-8').") is outside the server that serve this page (with method = ".htmlentities($_SERVER['REQUEST_METHOD'], ENT_COMPAT, 'UTF-8').").\n";
         	print "If you access your server behind a proxy using url rewriting, you might check that all HTTP headers are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file to remove this security check).\n";
diff --git a/htdocs/public/error-401.php b/htdocs/public/error-401.php
index d6a6ed548ff..ac921fc9f78 100644
--- a/htdocs/public/error-401.php
+++ b/htdocs/public/error-401.php
@@ -21,7 +21,7 @@
     Sorry. You are not allowed to access this resource.
 
     <br>
-    <?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.$_SERVER["HTTP_REFERER"].'.':''; ?>
+    <?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.':''; ?>
 
     <hr>
 
diff --git a/htdocs/public/error-404.php b/htdocs/public/error-404.php
index 36547d26704..34a4ac03e9e 100644
--- a/htdocs/public/error-404.php
+++ b/htdocs/public/error-404.php
@@ -21,7 +21,7 @@
     You requested a website or a page that does not exists.
 
     <br>
-    <?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.$_SERVER["HTTP_REFERER"].'.':''; ?>
+    <?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.':''; ?>
 
     <hr>