diff --git a/htdocs/comm/askpricesupplier/card.php b/htdocs/comm/askpricesupplier/card.php
index 51368cb09a7..22732c1a19d 100644
--- a/htdocs/comm/askpricesupplier/card.php
+++ b/htdocs/comm/askpricesupplier/card.php
@@ -1664,7 +1664,7 @@ if ($action == 'create')
 
 				// Create an order
 				if (! empty($conf->commande->enabled) && $object->statut == 2) {
-					if ($user->rights->commande->creer) {
+					if ($user->rights->fournisseur->commande->creer) {
 						print '<div class="inline-block divButAction"><a class="butAction" href="' . DOL_URL_ROOT . '/fourn/commande/card.php?action=create&amp;origin=' . $object->element . '&amp;originid=' . $object->id . '&amp;socid=' . $object->socid . '">' . $langs->trans("AddOrder") . '</a></div>';
 					}
 				}
diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php
index 43441306e34..8ca6b889310 100644
--- a/htdocs/comm/mailing/list.php
+++ b/htdocs/comm/mailing/list.php
@@ -40,10 +40,9 @@ $pagenext = $page + 1;
 if (! $sortorder) $sortorder="DESC";
 if (! $sortfield) $sortfield="m.date_creat";
 
-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
-$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
-
-$filteremail=$_REQUEST["filteremail"]?$_REQUEST["filteremail"]:'';
+$sall=GETPOST("sall","alpha");
+$sref=GETPOST("sref","alpha");
+$filteremail=GETPOST('filteremail','alpha');
 
 
 
@@ -62,8 +61,8 @@ if ($filteremail)
 	$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc";
 	$sql.= " WHERE m.rowid = mc.fk_mailing AND m.entity = ".$conf->entity;
 	$sql.= " AND mc.email = '".$db->escape($filteremail)."'";
-	if ($sref) $sql.= " AND m.rowid = '".$sref."'";
-	if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')";
+	if ($sref) $sql.= " AND m.rowid = '".$db->escape($sref)."'";
+	if ($sall) $sql.= " AND (m.titre like '%".$db->escape($sall)."%' OR m.sujet like '%".$db->escape($sall)."%' OR m.body like '%".$db->escape($sall)."%')";
 	if (! $sortorder) $sortorder="ASC";
 	if (! $sortfield) $sortfield="m.rowid";
 	$sql.= $db->order($sortfield,$sortorder);
@@ -74,8 +73,8 @@ else
 	$sql = "SELECT m.rowid, m.titre, m.nbemail, m.statut, m.date_creat as datec, m.date_envoi as date_envoi";
 	$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m";
 	$sql.= " WHERE m.entity = ".$conf->entity;
-	if ($sref) $sql.= " AND m.rowid = '".$sref."'";
-	if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')";
+	if ($sref) $sql.= " AND m.rowid = '".$db->escape($sref)."'";
+	if ($sall) $sql.= " AND (m.titre like '%".$db->escape($sall)."%' OR m.sujet like '%".$db->escape($sall)."%' OR m.body like '%".$db->escape($sall)."%')";
 	if (! $sortorder) $sortorder="ASC";
 	if (! $sortfield) $sortfield="m.rowid";
 	$sql.= $db->order($sortfield,$sortorder);
@@ -94,7 +93,7 @@ if ($result)
 
 	$i = 0;
 
-	$param = "&amp;sall=".$sall;
+	$param = "&amp;sall=".urlencode($sall);
 	if ($filteremail) $param.='&amp;filteremail='.urlencode($filteremail);
 	
 	print '<form method="GET" action="'.$_SERVER["PHP_SELF"].'">';
@@ -111,11 +110,11 @@ if ($result)
 
 	print '<tr class="liste_titre">';
 	print '<td class="liste_titre">';
-	print '<input type="text" class="flat" name="sref" value="'.$sref.'" size="6">';
+	print '<input type="text" class="flat" name="sref" value="'.dol_escape_htmltag($sref).'" size="6">';
 	print '</td>';
 	// Title
 	print '<td class="liste_titre">';
-	print '<input type="text" class="flat" name="sall" value="'.$sall.'" size="40">';
+	print '<input type="text" class="flat" name="sall" value="'.dol_escape_htmltag($sall).'" size="40">';
 	print '</td>';
 	print '<td class="liste_titre">&nbsp;</td>';
 	if (! $filteremail) print '<td class="liste_titre">&nbsp;</td>';
diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php
index 3dc1d555d28..edd8aa0cd39 100644
--- a/htdocs/expedition/class/expedition.class.php
+++ b/htdocs/expedition/class/expedition.class.php
@@ -643,7 +643,15 @@ class Expedition extends CommonObject
 				for ($i = 0; $i < $cpt; $i++)
 				{
 					$obj = $this->db->fetch_object($resql);
-					if ($obj->qty <= 0) continue;
+					if (empty($obj->edbrowid))
+					{
+						$qty = $obj->qty;
+					}
+					else
+					{
+						$qty = $obj->edbqty;
+					}
+					if ($qty <= 0) continue;
 					dol_syslog(get_class($this)."::valid movement index ".$i." ed.rowid=".$obj->rowid." edb.rowid=".$obj->edbrowid);
 
 					//var_dump($this->lines[$i]);
@@ -655,7 +663,7 @@ class Expedition extends CommonObject
 						// line without batch detail
 						
 						// We decrement stock of product (and sub-products) -> update table llx_product_stock (key of this table is fk_product+fk_entrepot) and add a movement record
-						$result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $obj->qty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref));
+						$result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $qty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref));
 						if ($result < 0) {
 							$error++; break;
 						}
@@ -665,15 +673,16 @@ class Expedition extends CommonObject
 						// line with batch detail
 						
 						// We decrement stock of product (and sub-products) -> update table llx_product_stock (key of this table is fk_product+fk_entrepot) and add a movement record
-						$result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $obj->edbqty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref), '', $obj->eatby, $obj->sellby, $obj->batch);
+						$result=$mouvS->livraison($user, $obj->fk_product, $obj->fk_entrepot, $qty, $obj->subprice, $langs->trans("ShipmentValidatedInDolibarr",$numref), '', $obj->eatby, $obj->sellby, $obj->batch);
 						if ($result < 0) {
 							$error++; break;
 						}
 						
 						// We update content of table llx_product_batch (will be rename into llx_product_stock_batch inantoher version)
+						// We can set livraison_batch to deprecated and adapt livraison to handle batch too (mouvS->_create also calls mouvS->_create_batch)
 						if (! empty($conf->productbatch->enabled))
 						{
-							$result=$mouvS->livraison_batch($obj->fk_origin_stock, $obj->qty);		// ->fk_origin_stock = id into table llx_product_batch (will be rename into llx_product_stock_batch in another version)
+							$result=$mouvS->livraison_batch($obj->fk_origin_stock, $qty);		// ->fk_origin_stock = id into table llx_product_batch (will be rename into llx_product_stock_batch in another version)
 							if ($result < 0) { $error++; $this->errors[]=$mouvS->error; break; }
 						}
 					}
diff --git a/htdocs/livraison/card.php b/htdocs/livraison/card.php
index 7ea9920d65b..54e45080efb 100644
--- a/htdocs/livraison/card.php
+++ b/htdocs/livraison/card.php
@@ -744,9 +744,13 @@ else
 			{
 				print '<div class="tabsAction">';
 
-				if ($object->statut == 0 && $user->rights->expedition->livraison->valider && $num_prod > 0)
+				if ($object->statut == 0 && $num_prod > 0) 
 				{
-					print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=valid">'.$langs->trans("Validate").'</a>';
+					if ((empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expedition->livraison->creer))
+						|| (! empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ! empty($user->rights->expedition->livraison_advance->validate)))
+					{
+						print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=valid">'.$langs->trans("Validate").'</a>';
+					}
 				}
 
 				if ($user->rights->expedition->livraison->supprimer)