From 3e15830678a65494636e38e79d224449f9329441 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Tue, 25 Aug 2009 15:19:29 +0000
Subject: [PATCH] Fix: Data into an input text must be encode by
 htmlspecialchars

---
 htdocs/admin/const.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index f9f06f62a95..ed85e140f7b 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -39,7 +39,6 @@ $typeconst=array('yesno','texte','chaine');
 /*
  * Actions
  */
-
 if ($_POST["action"] == 'update' || $_POST["action"] == 'add')
 {
 	if (! dolibarr_set_const($db, $_POST["constname"],$_POST["constvalue"],$typeconst[$_POST["consttype"]],1,isset($_POST["constnote"])?$_POST["constnote"]:'',$_POST["entity"]));
@@ -148,11 +147,11 @@ if ($result)
 
 		// Value
 		print '<td>';
-		print '<input type="text" class="flat" size="30" name="constvalue" value="'.$obj->value.'">';
+		print '<input type="text" class="flat" size="30" name="constvalue" value="'.htmlspecialchars($obj->value).'">';
 		print '</td><td>';
 
 		// Note
-		print '<input type="text" class="flat" size="40" name="constnote" value="'.nl2br($obj->note).'">';
+		print '<input type="text" class="flat" size="40" name="constnote" value="'.htmlspecialchars($obj->note,1).'">';
 		print '</td>';
 
 		// Entity