diff --git a/htdocs/admin/agenda_extsites.php b/htdocs/admin/agenda_extsites.php
index 755d1eb23f9..79e6d3dbd6c 100644
--- a/htdocs/admin/agenda_extsites.php
+++ b/htdocs/admin/agenda_extsites.php
@@ -2,6 +2,7 @@
 /* Copyright (C) 2008-2015	Laurent Destailleur		<eldy@users.sourceforge.net>
  * Copyright (C) 2011-2015	Juanjo Menent			<jmenent@2byte.es>
  * Copyright (C) 2015       Jean-François Ferry		<jfefe@aternatik.fr>
+ * Copyright (C) 2016       Raphaël Doursenaud      <rdoursenaud@gpcsolutions.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -95,7 +96,7 @@ if ($actionsave)
 	// Save nb of agenda
 	if (! $error)
 	{
-		$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
+		$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
 		if (! $res > 0) $error++;
 		if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
 		$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
@@ -214,9 +215,9 @@ while ($i <= $MAXAGENDA)
 	// Nb
 	print '<td width="180" class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";
 	// Name
-	print '<td><input type="text" class="flat hideifnotset" name="AGENDA_EXT_NAME'.$key.'" value="'. (GETPOST('AGENDA_EXT_NAME'.$key)?GETPOST('AGENDA_EXT_NAME'.$key):$conf->global->$name) . '" size="28"></td>';
+	print '<td><input type="text" class="flat hideifnotset" name="AGENDA_EXT_NAME'.$key.'" value="'. (GETPOST('AGENDA_EXT_NAME'.$key)?GETPOST('AGENDA_EXT_NAME'.$key, 'alpha'):$conf->global->$name) . '" size="28"></td>';
 	// URL
-	print '<td><input type="url" class="flat hideifnotset" name="AGENDA_EXT_SRC'.$key.'" value="'. (GETPOST('AGENDA_EXT_SRC'.$key)?GETPOST('AGENDA_EXT_SRC'.$key):$conf->global->$src) . '" size="60"></td>';
+	print '<td><input type="url" class="flat hideifnotset" name="AGENDA_EXT_SRC'.$key.'" value="'. (GETPOST('AGENDA_EXT_SRC'.$key)?GETPOST('AGENDA_EXT_SRC'.$key, 'alpha'):$conf->global->$src) . '" size="60"></td>';
 	// Offset TZ
 	print '<td><input type="text" class="flat hideifnotset" name="AGENDA_EXT_OFFSETTZ'.$key.'" value="'. (GETPOST('AGENDA_EXT_OFFSETTZ'.$key)?GETPOST('AGENDA_EXT_OFFSETTZ'.$key):$conf->global->$offsettz) . '" size="2"></td>';
 	// Color (Possible colors are limited by Google)
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index 673ee101cf0..79347c24c4e 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -258,7 +258,7 @@ $out='';
 $typeleaves=$holiday->getTypes(1,1);
 foreach($typeleaves as $key => $val)
 {
-	$nb_type = $holiday->getCPforUser($user->id, $val['rowid']);
+	$nb_type = $holiday->getCPforUser($user_id, $val['rowid']);
 	$nb_holiday += $nb_type;
 	$out .= ' - '.$val['label'].': <strong>'.($nb_type?price2num($nb_type):0).'</strong><br>';
 }
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index a24eda81fb3..dd449bda420 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -97,7 +97,8 @@ function test_sql_and_script_inject($val, $type)
     // All examples on page: http://ha.ckers.org/xss.html#XSScalc
     $sql_inj += preg_match('/<script/i', $val);
     if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
-    $sql_inj += preg_match('/base[\s]+href/i', $val);
+    $sql_inj += preg_match('/base[\s]+href/si', $val);
+    $sql_inj += preg_match('/<.*onmouseover/si', $val);       // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
     if ($type == 1)
     {
         $sql_inj += preg_match('/javascript:/i', $val);
diff --git a/htdocs/public/cron/cron_run_jobs.php b/htdocs/public/cron/cron_run_jobs.php
index 022a7641cab..5fd0ff949b4 100644
--- a/htdocs/public/cron/cron_run_jobs.php
+++ b/htdocs/public/cron/cron_run_jobs.php
@@ -133,8 +133,7 @@ if (is_array($object->lines) && (count($object->lines)>0))
 		dol_syslog("cron_run_jobs.php fetch cronjobid: ".$line->id, LOG_WARNING);
 
 		//If date_next_jobs is less of current dat, execute the program, and store the execution time of the next execution in database
-		if ((($line->datenextrun <= $now) && $line->dateend < $now)
-				|| ((empty($line->datenextrun)) && (empty($line->dateend))))
+		if (($line->datenextrun < $now) && (empty($line->datestart) || $line->datestart <= $now) && (empty($line->dateend) || $line->dateend >= $now))
 		{
 
 			dol_syslog("cron_run_jobs.php:: torun line->datenextrun:".dol_print_date($line->datenextrun,'dayhourtext')." line->dateend:".dol_print_date($line->dateend,'dayhourtext')." now:".dol_print_date($now,'dayhourtext'));
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 3f3d7cc27df..d14ccc6f8d4 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2004-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2005-2012 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
+ * Copyright (C) 2005-2016 Regis Houssin        <regis.houssin@capnetworks.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -24,15 +24,16 @@
  *      \remarks    Call to wrapper is '<img src="'.DOL_URL_ROOT.'/viewimage.php?modulepart=diroffile&file=relativepathofofile&cache=0">'
  */
 
-//if (! defined('NOREQUIREUSER'))   define('NOREQUIREUSER','1');	// Not disabled cause need to load personalized language
-//if (! defined('NOREQUIREDB'))   define('NOREQUIREDB','1');		// Not disabled cause need to load personalized language
-if (! defined('NOREQUIRESOC'))    define('NOREQUIRESOC','1');
-if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1');
-if (! defined('NOCSRFCHECK'))     define('NOCSRFCHECK','1');
-if (! defined('NOTOKENRENEWAL'))  define('NOTOKENRENEWAL','1');
-if (! defined('NOREQUIREMENU'))  define('NOREQUIREMENU','1');
-if (! defined('NOREQUIREHTML'))  define('NOREQUIREHTML','1');
-if (! defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX','1');
+//if (! defined('NOREQUIREUSER'))	define('NOREQUIREUSER','1');	// Not disabled cause need to load personalized language
+//if (! defined('NOREQUIREDB'))		define('NOREQUIREDB','1');		// Not disabled cause need to load personalized language
+if (! defined('NOREQUIRESOC'))		define('NOREQUIRESOC','1');
+if (! defined('NOREQUIRETRAN'))		define('NOREQUIRETRAN','1');
+if (! defined('NOCSRFCHECK'))		define('NOCSRFCHECK','1');
+if (! defined('NOTOKENRENEWAL'))	define('NOTOKENRENEWAL','1');
+if (! defined('NOREQUIREMENU'))		define('NOREQUIREMENU','1');
+if (! defined('NOREQUIREHTML'))		define('NOREQUIREHTML','1');
+if (! defined('NOREQUIREAJAX'))		define('NOREQUIREAJAX','1');
+if (! defined('NOREQUIREHOOK'))		define('NOREQUIREHOOK','1');	// Disable "main.inc.php" hooks
 // Pour autre que companylogo, on charge environnement + info issus de logon comme le user
 if ((isset($_GET["modulepart"]) && $_GET["modulepart"] == 'companylogo') && ! defined("NOLOGIN")) define("NOLOGIN",'1');