From 2d6f7f926c368a7ce6f02da1435c9930f7639347 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 15 Nov 2018 17:34:11 +0100
Subject: [PATCH] FIX xss injection on user address

---
 htdocs/user/card.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index 6b83bf28ba5..fed2cc5de64 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -193,7 +193,7 @@ if (empty($reshook)) {
 			$birth = dol_mktime(0, 0, 0, GETPOST('birthmonth'), GETPOST('birthday'), GETPOST('birthyear'));
 			$object->birth = $birth;
 			$object->admin = GETPOST("admin", 'alpha');
-			$object->address = GETPOST('address', 'alpha');
+			$object->address = GETPOST('address', 'alphanohtml');
 			$object->zip = GETPOST('zipcode', 'alpha');
 			$object->town = GETPOST('town', 'alpha');
 			$object->country_id = GETPOST('country_id', 'int');
@@ -342,7 +342,7 @@ if (empty($reshook)) {
 				$object->pass = GETPOST("password",'none');
 				$object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key;
 				if (! empty($user->admin)) $object->admin = GETPOST("admin"); 	// admin flag can only be set/unset by an admin user. A test is also done later when forging sql request
-				$object->address = GETPOST('address', 'alpha');
+				$object->address = GETPOST('address', 'alphanohtml');
 				$object->zip = GETPOST('zipcode', 'alpha');
 				$object->town = GETPOST('town', 'alpha');
 				$object->country_id = GETPOST('country_id', 'int');