diff --git a/htdocs/product/card.php b/htdocs/product/card.php
index 8b4654ba921..d6f62b34769 100644
--- a/htdocs/product/card.php
+++ b/htdocs/product/card.php
@@ -86,6 +86,9 @@ $accountancy_code_buy = GETPOST('accountancy_code_buy', 'alpha');
$accountancy_code_buy_intra = GETPOST('accountancy_code_buy_intra', 'alpha');
$accountancy_code_buy_export = GETPOST('accountancy_code_buy_export', 'alpha');
+// by default 'alphanohtml' (better security); hidden conf MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML allows basic html
+$label_security_check = empty($conf->global->MAIN_SECURITY_ALLOW_UNSECURED_LABELS_WITH_HTML) ? 'alphanohtml' : 'restricthtml';
+
if (!empty($user->socid)) $socid = $user->socid;
$object = new Product($db);
@@ -201,7 +204,7 @@ if (empty($reshook))
{
$error = 0;
- if (!GETPOST('label', 'alphanohtml'))
+ if (!GETPOST('label', $label_security_check))
{
setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentities('Label')), null, 'errors');
$action = "create";
@@ -225,7 +228,7 @@ if (empty($reshook))
$units = GETPOST('units', 'int');
$object->ref = $ref;
- $object->label = GETPOST('label', 'alphanohtml');
+ $object->label = GETPOST('label', $label_security_check);
$object->price_base_type = GETPOST('price_base_type', 'aZ09');
if ($object->price_base_type == 'TTC')
@@ -406,7 +409,7 @@ if (empty($reshook))
$object->oldcopy = clone $object;
$object->ref = $ref;
- $object->label = GETPOST('label', 'alphanohtml');
+ $object->label = GETPOST('label', $label_security_check);
$object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none'));
$object->url = GETPOST('url');
if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB))
@@ -1005,7 +1008,7 @@ else
print '';
// Label
- print '| '.$langs->trans("Label").' | |
';
+ print '| '.$langs->trans("Label").' | |
';
// On sell
print '| '.$langs->trans("Status").' ('.$langs->trans("Sell").') | ';
|