Fix var not sanitized

2017-05-16 13:27:32 +02:00 · 2017-05-16 13:27:32 +02:00 · 68e333879f
commit 68e333879f
parent cc16bb0bef
150 changed files with 261 additions and 248 deletions
--- a/htdocs/accountancy/admin/account.php
+++ b/htdocs/accountancy/admin/account.php
@ -37,7 +37,7 @@ $langs->load("accountancy");
 $langs->load("salaries");

 $mesg = '';
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');
 $cancel = GETPOST('cancel');
 $id = GETPOST('id', 'int');
 $rowid = GETPOST('rowid', 'int');
--- a/htdocs/accountancy/admin/card.php
+++ b/htdocs/accountancy/admin/card.php
@ -37,7 +37,7 @@ $langs->load("bills");
 $langs->load("accountancy");

 $mesg = '';
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');
 $backtopage = GETPOST('backtopage');
 $id = GETPOST('id', 'int');
 $rowid = GETPOST('rowid', 'int');
--- a/htdocs/accountancy/admin/categories.php
+++ b/htdocs/accountancy/admin/categories.php
@ -36,7 +36,7 @@ $mesg = '';
 $id = GETPOST('id', 'int');
 $rowid = GETPOST('rowid', 'int');
 $cancel = GETPOST('cancel');
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');
 $cat_id = GETPOST('account_category');
 $selectcpt = GETPOST('cpt_bk', 'array');
 $cpt_id = GETPOST('cptid');
--- a/htdocs/accountancy/admin/fiscalyear.php
+++ b/htdocs/accountancy/admin/fiscalyear.php
@ -25,7 +25,7 @@ require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT . '/core/lib/date.lib.php';
 require_once DOL_DOCUMENT_ROOT . '/core/class/fiscalyear.class.php';

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');

 // Load variable for pagination
 $limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
--- a/htdocs/accountancy/bookkeeping/card.php
+++ b/htdocs/accountancy/bookkeeping/card.php
@ -43,7 +43,7 @@ if ($user->societe_id > 0) {
 	accessforbidden();
 }

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');
 $piece_num = GETPOST("piece_num");

 $mesg = '';
--- a/htdocs/accountancy/expensereport/index.php
+++ b/htdocs/accountancy/expensereport/index.php
@ -55,7 +55,7 @@ if ($year == 0) {
 }

 // Validate History
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/accountancy/journal/bankjournal.php
+++ b/htdocs/accountancy/journal/bankjournal.php
@ -71,7 +71,7 @@ $date_startyear = GETPOST('date_startyear');
 $date_endmonth = GETPOST('date_endmonth');
 $date_endday = GETPOST('date_endday');
 $date_endyear = GETPOST('date_endyear');
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');

 $now = dol_now();

--- a/htdocs/accountancy/journal/expensereportsjournal.php
+++ b/htdocs/accountancy/journal/expensereportsjournal.php
@ -58,7 +58,7 @@ $now = dol_now();
 if ($user->societe_id > 0)
 	accessforbidden();

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/accountancy/journal/purchasesjournal.php
+++ b/htdocs/accountancy/journal/purchasesjournal.php
@ -57,7 +57,7 @@ $now = dol_now();
 if ($user->societe_id > 0)
 	accessforbidden();

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/accountancy/journal/sellsjournal.php
+++ b/htdocs/accountancy/journal/sellsjournal.php
@ -60,7 +60,7 @@ $now = dol_now();
 if ($user->societe_id > 0)
 	accessforbidden();

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/accountancy/report/result.php
+++ b/htdocs/accountancy/report/result.php
@ -35,7 +35,7 @@ $langs->load("accountancy");
 $langs->load("compta");

 $mesg = '';
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');
 $cat_id = GETPOST('account_category');
 $selectcpt = GETPOST('cpt_bk');
 $id = GETPOST('id', 'int');
--- a/htdocs/adherents/ldap.php
+++ b/htdocs/adherents/ldap.php
@ -35,7 +35,7 @@ $langs->load("ldap");
 $langs->load("admin");

 $rowid = GETPOST('id','int');
-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');

 // Protection
 $socid=0;
--- a/htdocs/adherents/list.php
+++ b/htdocs/adherents/list.php
@ -37,7 +37,7 @@ $langs->load("companies");
 // Security check
 $result=restrictedArea($user,'adherent');

-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $filter=GETPOST("filter");
 $statut=GETPOST("statut");
 $search=GETPOST("search");
--- a/htdocs/admin/clicktodial.php
+++ b/htdocs/admin/clicktodial.php
@ -30,7 +30,7 @@ $langs->load("admin");

 if (!$user->admin) accessforbidden();

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/admin/company.php
+++ b/htdocs/admin/company.php
@ -36,7 +36,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $langs->load("admin");
 $langs->load("companies");
--- a/htdocs/admin/events.php
+++ b/htdocs/admin/events.php
@ -35,7 +35,7 @@ $langs->load("users");
 $langs->load("admin");
 $langs->load("other");

-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');


 $securityevent=new Events($db);
--- a/htdocs/admin/external_rss.php
+++ b/htdocs/admin/external_rss.php
@ -38,7 +38,7 @@ if (!$user->admin) accessforbidden();

 $def = array();
 $lastexternalrss=0;
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');


 /*
--- a/htdocs/admin/geoipmaxmind.php
+++ b/htdocs/admin/geoipmaxmind.php
@ -33,7 +33,7 @@ accessforbidden();
 $langs->load("admin");
 $langs->load("errors");

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');

 /*
 * Actions
--- a/htdocs/admin/ihm.php
+++ b/htdocs/admin/ihm.php
@ -45,7 +45,7 @@ $langs->load("agenda");

 if (! $user->admin) accessforbidden();

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');


 if (! defined("MAIN_MOTD")) define("MAIN_MOTD","");
--- a/htdocs/admin/ldap.php
+++ b/htdocs/admin/ldap.php
@ -36,7 +36,7 @@ $langs->load("admin");
 if (!$user->admin)
  accessforbidden();

-  $action = GETPOST("action");
+  $action = GETPOST('action','aZ09');

 /*
 * Actions
--- a/htdocs/admin/ldap_contacts.php
+++ b/htdocs/admin/ldap_contacts.php
@ -38,7 +38,7 @@ $langs->load("errors");
 if (!$user->admin)
  accessforbidden();

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');
  
 /*
 * Actions
--- a/htdocs/admin/ldap_groups.php
+++ b/htdocs/admin/ldap_groups.php
@ -39,7 +39,7 @@ $langs->load("errors");
 if (!$user->admin)
  accessforbidden();
  
-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/admin/ldap_members.php
+++ b/htdocs/admin/ldap_members.php
@ -39,7 +39,7 @@ $langs->load("errors");
 if (!$user->admin)
  accessforbidden();

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');

 /*
 * Actions
--- a/htdocs/admin/ldap_users.php
+++ b/htdocs/admin/ldap_users.php
@ -39,7 +39,7 @@ $langs->load("errors");
 if (!$user->admin)
  accessforbidden();

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');

 /*
 * Actions
--- a/htdocs/admin/mailman.php
+++ b/htdocs/admin/mailman.php
@ -41,7 +41,7 @@ if (! $user->admin) accessforbidden();

 $type=array('yesno','texte','chaine');

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');
 $testsubscribeemail = GETPOST("testsubscribeemail");
 $testunsubscribeemail = GETPOST("testunsubscribeemail");

--- a/htdocs/admin/menus.php
+++ b/htdocs/admin/menus.php
@ -27,7 +27,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formadmin.class.php';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $langs->load("companies");
 $langs->load("products");
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@ -43,7 +43,7 @@ foreach($dirmenus as $dirmenu)
    $dirsmartphone[]=$dirmenu.'smartphone';
 }

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $menu_handler_top=$conf->global->MAIN_MENU_STANDARD;
 $menu_handler_smartphone=$conf->global->MAIN_MENU_SMARTPHONE;
--- a/htdocs/admin/notification.php
+++ b/htdocs/admin/notification.php
@ -41,7 +41,7 @@ $langs->load("mails");
 if (!$user->admin)
  accessforbidden();

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/admin/perms.php
+++ b/htdocs/admin/perms.php
@ -32,7 +32,7 @@ $langs->load("admin");
 $langs->load("users");
 $langs->load("other");

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 if (!$user->admin) accessforbidden();

--- a/htdocs/admin/proxy.php
+++ b/htdocs/admin/proxy.php
@ -40,7 +40,7 @@ $upload_dir=$conf->admin->dir_temp;
 * Actions
 */

-if (GETPOST("action") == 'set_proxy')
+if (GETPOST('action','aZ09') == 'set_proxy')
 {
    if (GETPOST("MAIN_USE_CONNECT_TIMEOUT") && ! is_numeric(GETPOST("MAIN_USE_CONNECT_TIMEOUT")))
    {
--- a/htdocs/admin/security.php
+++ b/htdocs/admin/security.php
@ -27,7 +27,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $langs->load("users");
 $langs->load("admin");
--- a/htdocs/admin/sms.php
+++ b/htdocs/admin/sms.php
@ -43,7 +43,7 @@ $substitutionarrayfortest=array(
 '__FIRSTNAME__' => 'TESTFirstname'
 );

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');


 /*
--- a/htdocs/admin/spip.php
+++ b/htdocs/admin/spip.php
@ -41,7 +41,7 @@ if (! $user->admin) accessforbidden();

 $type=array('yesno','texte','chaine');

-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');


 /*
--- a/htdocs/admin/syslog.php
+++ b/htdocs/admin/syslog.php
@ -35,7 +35,7 @@ $langs->load("admin");
 $langs->load("other");

 $error=0;
-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');

 $syslogModules = array();
 $activeModules = array();
--- a/htdocs/admin/system/perf.php
+++ b/htdocs/admin/system/perf.php
@ -33,7 +33,7 @@ $langs->load("other");
 if (! $user->admin)
 	accessforbidden();

-if (GETPOST('action') == 'donothing')
+if (GETPOST('action','aZ09') == 'donothing')
 {
 	exit;
 }
--- a/htdocs/admin/system/xcache.php
+++ b/htdocs/admin/system/xcache.php
@ -26,7 +26,7 @@ $langs->load("admin");

 if (!$user->admin) accessforbidden();

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');


 /*
--- a/htdocs/api/admin/index.php
+++ b/htdocs/api/admin/index.php
@ -34,7 +34,7 @@ $langs->load("admin");
 if (! $user->admin)
 	accessforbidden();

-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');

 //Activate ProfId
 if ($action == 'setproductionmode')
--- a/htdocs/barcode/codeinit.php
+++ b/htdocs/barcode/codeinit.php
@ -38,7 +38,7 @@ $forbarcode=GETPOST('forbarcode');
 $fk_barcode_type=GETPOST('fk_barcode_type');
 $eraseallbarcode=GETPOST('eraseallbarcode');

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $producttmp=new Product($db);
 $thirdpartytmp=new Societe($db);
--- a/htdocs/barcode/printsheet.php
+++ b/htdocs/barcode/printsheet.php
@ -45,7 +45,7 @@ $numberofsticker=GETPOST('numberofsticker','int');

 $mesg='';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $producttmp=new Product($db);
 $thirdpartytmp=new Societe($db);
--- a/htdocs/cashdesk/validation_verif.php
+++ b/htdocs/cashdesk/validation_verif.php
@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
 $obj_facturation = unserialize($_SESSION['serObjFacturation']);
 unset ($_SESSION['serObjFacturation']);

-$action =GETPOST('action');
+$action =GETPOST('action','aZ09');
 $bankaccountid=GETPOST('cashdeskbank');

 switch ($action)
--- a/htdocs/categories/admin/categorie.php
+++ b/htdocs/categories/admin/categorie.php
@ -32,7 +32,7 @@ accessforbidden();

 $langs->load("categories");

-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');

 /*
 *	Actions
--- a/htdocs/categories/edit.php
+++ b/htdocs/categories/edit.php
@ -34,7 +34,7 @@ $langs->load("categories");
 $id=GETPOST('id','int');
 $ref=GETPOST('ref');
 $type=GETPOST('type');
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');
 $cancel=GETPOST('cancel');

--- a/htdocs/categories/photos.php
+++ b/htdocs/categories/photos.php
@ -39,7 +39,7 @@ $langs->load("bills");
 $id=GETPOST('id','int');
 $ref=GETPOST('ref');
 $type=GETPOST('type');
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');

 if ($id == "")
--- a/htdocs/categories/viewcat.php
+++ b/htdocs/categories/viewcat.php
@ -37,7 +37,7 @@ $langs->load("categories");
 $id=GETPOST('id','int');
 $ref=GETPOST('ref');
 $type=GETPOST('type');
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');
 $removeelem = GETPOST('removeelem','int');
 $elemid=GETPOST('elemid');
--- a/htdocs/collab/index.php
+++ b/htdocs/collab/index.php
@ -77,7 +77,7 @@ $langs->load("website");

 if (! $user->admin) accessforbidden();

-if (! ((GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER)) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)))
+if (! ((GETPOST('testmenuhider','int') || ! empty($conf->global->MAIN_TESTMENUHIDER)) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)))
 {
    $conf->dol_hide_leftmenu = 1;   // Force hide of left menu.
 }
--- a/htdocs/comm/card.php
+++ b/htdocs/comm/card.php
@ -60,7 +60,7 @@ $id = (GETPOST('socid','int') ? GETPOST('socid','int') : GETPOST('id','int'));
 if ($user->societe_id > 0) $id=$user->societe_id;
 $result = restrictedArea($user,'societe',$id,'&societe');

-$action		= GETPOST('action');
+$action		= GETPOST('action','aZ09');
 $mode		= GETPOST("mode");

 $sortfield = GETPOST("sortfield",'alpha');
--- a/htdocs/comm/mailing/advtargetemailing.php
+++ b/htdocs/comm/mailing/advtargetemailing.php
@ -59,7 +59,7 @@ if (! $sortfield)

 $id = GETPOST('id', 'int');
 $rowid = GETPOST('rowid', 'int');
-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');
 $search_nom = GETPOST("search_nom");
 $search_prenom = GETPOST("search_prenom");
 $search_email = GETPOST("search_email");
--- a/htdocs/comm/mailing/cibles.php
+++ b/htdocs/comm/mailing/cibles.php
@ -52,7 +52,7 @@ if (! $sortorder) $sortorder="ASC";

 $id=GETPOST('id','int');
 $rowid=GETPOST('rowid','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $search_lastname=GETPOST("search_lastname");
 $search_firstname=GETPOST("search_firstname");
 $search_email=GETPOST("search_email");
--- a/htdocs/comm/remise.php
+++ b/htdocs/comm/remise.php
@ -52,7 +52,7 @@ if (GETPOST('cancel') && ! empty($backtopage))
     exit;
 }

-if (GETPOST("action") == 'setremise')
+if (GETPOST('action','aZ09') == 'setremise')
 {
 	$object = new Societe($db);
 	$object->fetch($id);
--- a/htdocs/comm/remx.php
+++ b/htdocs/comm/remx.php
@ -185,7 +185,7 @@ if ($action == 'setremise' && $user->rights->societe->creer)
 	}
 }

-if (GETPOST("action") == 'confirm_remove' && GETPOST("confirm")=='yes')
+if (GETPOST('action','aZ09') == 'confirm_remove' && GETPOST("confirm")=='yes')
 {
 	//if ($user->rights->societe->creer)
 	//if ($user->rights->facture->creer)
--- a/htdocs/commande/customer.php
+++ b/htdocs/commande/customer.php
@ -30,7 +30,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
 require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 // Secrutiy check
 if ($user->societe_id > 0)
--- a/htdocs/commande/document.php
+++ b/htdocs/commande/document.php
@ -36,7 +36,7 @@ require_once DOL_DOCUMENT_ROOT .'/commande/class/commande.class.php';
 $langs->load('companies');
 $langs->load('other');

-$action		= GETPOST('action');
+$action		= GETPOST('action','aZ09');
 $confirm	= GETPOST('confirm');
 $id			= GETPOST('id','int');
 $ref		= GETPOST('ref');
--- a/htdocs/compta/bank/card.php
+++ b/htdocs/compta/bank/card.php
@ -46,7 +46,7 @@ $langs->load("categories");
 $langs->load("companies");
 $langs->load("compta");

-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $cancel = GETPOST('cancel', 'alpha');

 // Security check
--- a/htdocs/compta/bank/categ.php
+++ b/htdocs/compta/bank/categ.php
@ -33,7 +33,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/bankcateg.class.php';
 $langs->load("banks");
 $langs->load("categories");

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 if (!$user->rights->banque->configurer)
  accessforbidden();
@ -108,7 +108,7 @@ if ($result)
 		
 		print '<tr class="oddeven">';
 		print '<td><a href="'.DOL_URL_ROOT.'/compta/bank/budget.php?bid='.$objp->rowid.'">'.$objp->rowid.'</a></td>';
-		if (GETPOST("action") == 'edit' && GETPOST("categid")== $objp->rowid)
+		if (GETPOST('action','aZ09') == 'edit' && GETPOST("categid")== $objp->rowid)
 		{
 			print "<td colspan=2>";
 			print '<input type="hidden" name="categid" value="'.$objp->rowid.'">';
--- a/htdocs/compta/bank/various_payment/info.php
+++ b/htdocs/compta/bank/various_payment/info.php
@ -31,7 +31,7 @@ $langs->load("bills");
 $langs->load("salaries");

 $id=GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');

 // Security check
 $socid = GETPOST('socid','int');
--- a/htdocs/compta/clients.php
+++ b/htdocs/compta/clients.php
@ -27,7 +27,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
 require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 // Secrutiy check
 if ($user->societe_id > 0)
--- a/htdocs/compta/paiement.php
+++ b/htdocs/compta/paiement.php
@ -817,7 +817,7 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie
 /**
 *  Show list of payments
 */
-if (! GETPOST('action'))
+if (! GETPOST('action','aZ09'))
 {
    if ($page == -1) $page = 0 ;
    $limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit;
--- a/htdocs/compta/paiement/rapport.php
+++ b/htdocs/compta/paiement/rapport.php
@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
 // Security check
 if (! $user->rights->facture->lire) accessforbidden();

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 $socid=0;
 if ($user->societe_id > 0)
--- a/htdocs/compta/payment_sc/card.php
+++ b/htdocs/compta/payment_sc/card.php
@ -38,7 +38,7 @@ $langs->load('companies');

 // Security check
 $id=GETPOST("id",'int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');
 if ($user->societe_id) $socid=$user->societe_id;
 // TODO ajouter regle pour restreindre acces paiement
--- a/htdocs/compta/salaries/card.php
+++ b/htdocs/compta/salaries/card.php
@ -39,7 +39,7 @@ $langs->load("salaries");
 $langs->load('hrm');

 $id=GETPOST("id",'int');
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 // Security check
 $socid = GETPOST("socid","int");
--- a/htdocs/compta/salaries/info.php
+++ b/htdocs/compta/salaries/info.php
@ -32,7 +32,7 @@ $langs->load("bills");
 $langs->load("salaries");

 $id=GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');

 // Security check
 $socid = GETPOST('socid','int');
--- a/htdocs/compta/sociales/card.php
+++ b/htdocs/compta/sociales/card.php
@ -38,7 +38,7 @@ $langs->load("compta");
 $langs->load("bills");

 $id=GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');
 $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);

--- a/htdocs/compta/sociales/document.php
+++ b/htdocs/compta/sociales/document.php
@ -40,7 +40,7 @@ $langs->load("compta");
 $langs->load("bills");

 $id = GETPOST('id','int');
-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');
 $confirm = GETPOST('confirm', 'alpha');

 // Security check
--- a/htdocs/compta/sociales/info.php
+++ b/htdocs/compta/sociales/info.php
@ -30,7 +30,7 @@ $langs->load("compta");
 $langs->load("bills");

 $id=GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');

 // Security check
 $socid = GETPOST('socid','int');
--- a/htdocs/compta/tva/info.php
+++ b/htdocs/compta/tva/info.php
@ -30,7 +30,7 @@ $langs->load("compta");
 $langs->load("bills");

 $id=GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');

 // Security check
 $socid = GETPOST('socid','int');
--- a/htdocs/contact/document.php
+++ b/htdocs/contact/document.php
@ -34,7 +34,7 @@ $langs->load("companies");
 $langs->load("contact");

 $id = GETPOST('id','int');
-$action = GETPOST("action");
+$action = GETPOST('action','aZ09');
 $confirm = GETPOST('confirm', 'alpha');

 $object = new Contact($db);
--- a/htdocs/contact/ldap.php
+++ b/htdocs/contact/ldap.php
@ -32,7 +32,7 @@ $langs->load("companies");
 $langs->load("ldap");
 $langs->load("admin");

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');

 // Security check
 $id = GETPOST('id', 'int');
--- a/htdocs/contact/note.php
+++ b/htdocs/contact/note.php
@ -29,7 +29,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/contact.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';

-$action = GETPOST('action');
+$action = GETPOST('action','aZ09');

 $langs->load("companies");

--- a/htdocs/core/ajax/ajaxdirpreview.php
+++ b/htdocs/core/ajax/ajaxdirpreview.php
@ -40,7 +40,7 @@ if (! isset($mode) || $mode != 'noajax')    // For ajax call
    require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
    require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmdirectory.class.php';

-	$action=GETPOST("action");
+	$action=GETPOST('action','aZ09');
    $file=urldecode(GETPOST('file'));
    $section=GETPOST("section");
    $module=GETPOST("module");
--- a/htdocs/core/ajax/bankconciliate.php
+++ b/htdocs/core/ajax/bankconciliate.php
@ -31,7 +31,7 @@ require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');


 /*
--- a/htdocs/core/boxes/box_graph_invoices_permonth.php
+++ b/htdocs/core/boxes/box_graph_invoices_permonth.php
@ -122,7 +122,7 @@ class box_graph_invoices_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($shownb)
 			{
-				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."invoicesnbinyear-".$endyear.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=billstats&amp;file=invoicesnbinyear-'.$endyear.'.png';
@ -162,7 +162,7 @@ class box_graph_invoices_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($showtot)
 			{
-				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."invoicesamountinyear-".$endyear.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=billstats&amp;file=invoicesamountinyear-'.$endyear.'.png';
--- a/htdocs/core/boxes/box_graph_invoices_supplier_permonth.php
+++ b/htdocs/core/boxes/box_graph_invoices_supplier_permonth.php
@ -121,7 +121,7 @@ class box_graph_invoices_supplier_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($shownb)
 			{
-				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."invoicessuppliernbinyear-".$year.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=billstats&amp;file=invoicesnbinyear-'.$year.'.png';
@ -161,7 +161,7 @@ class box_graph_invoices_supplier_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($showtot)
 			{
-				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."invoicessupplieramountinyear-".$year.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=billstats&amp;file=invoicesamountinyear-'.$year.'.png';
--- a/htdocs/core/boxes/box_graph_orders_permonth.php
+++ b/htdocs/core/boxes/box_graph_orders_permonth.php
@ -124,7 +124,7 @@ class box_graph_orders_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($shownb)
 			{
-				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."ordersnbinyear-".$endyear.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=orderstats&amp;file=ordersnbinyear-'.$endyear.'.png';
@ -162,7 +162,7 @@ class box_graph_orders_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($showtot)
 			{
-				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."ordersamountinyear-".$endyear.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=orderstats&amp;file=ordersamountinyear-'.$endyear.'.png';
--- a/htdocs/core/boxes/box_graph_orders_supplier_permonth.php
+++ b/htdocs/core/boxes/box_graph_orders_supplier_permonth.php
@ -123,7 +123,7 @@ class box_graph_orders_supplier_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($shownb)
 			{
-				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."orderssuppliernbinyear-".$endyear.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=orderstats&amp;file=ordersnbinyear-'.$endyear.'.png';
@ -161,7 +161,7 @@ class box_graph_orders_supplier_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($showtot)
 			{
-				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));

 				$filenamenb = $dir."/".$prefix."orderssupplieramountinyear-".$endyear.".png";
 				if ($mode == 'customer') $fileurlnb = DOL_URL_ROOT.'/viewimage.php?modulepart=orderstats&amp;file=ordersamountinyear-'.$endyear.'.png';
--- a/htdocs/core/boxes/box_graph_product_distribution.php
+++ b/htdocs/core/boxes/box_graph_product_distribution.php
@ -139,7 +139,7 @@ class box_graph_product_distribution extends ModeleBoxes
 				$showpointvalue = 1; $nocolor = 0;
 				$mode='customer';
 				$stats_invoice = new FactureStats($this->db, $socid, $mode, ($userid>0?$userid:0));
-				$data1 = $stats_invoice->getAllByProductEntry($year,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data1 = $stats_invoice->getAllByProductEntry($year,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));
 				if (empty($data1))
 				{
 					$showpointvalue=0;
@ -197,7 +197,7 @@ class box_graph_product_distribution extends ModeleBoxes

 				$showpointvalue = 1; $nocolor = 0;
 				$stats_proposal = new PropaleStats($this->db, $socid, ($userid>0?$userid:0));
-				$data2 = $stats_proposal->getAllByProductEntry($year,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data2 = $stats_proposal->getAllByProductEntry($year,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));
 				if (empty($data2))
 				{
 					$showpointvalue = 0;
@ -259,7 +259,7 @@ class box_graph_product_distribution extends ModeleBoxes
 				$showpointvalue = 1; $nocolor = 0;
 				$mode='customer';
 				$stats_order = new CommandeStats($this->db, $socid, $mode, ($userid>0?$userid:0));
-				$data3 = $stats_order->getAllByProductEntry($year,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data3 = $stats_order->getAllByProductEntry($year,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));
 				if (empty($data3))
 				{
 					$showpointvalue = 0;
--- a/htdocs/core/boxes/box_graph_propales_permonth.php
+++ b/htdocs/core/boxes/box_graph_propales_permonth.php
@ -121,7 +121,7 @@ class box_graph_propales_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($shownb)
 			{
-				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data1 = $stats->getNbByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));
 				$datatype1 = array_pad(array(), ($endyear-$startyear+1), 'bars');

 				$filenamenb = $dir."/".$prefix."propalsnbinyear-".$endyear.".png";
@ -160,7 +160,7 @@ class box_graph_propales_permonth extends ModeleBoxes
 			// Build graphic number of object. $data = array(array('Lib',val1,val2,val3),...)
 			if ($showtot)
 			{
-				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action')==$refreshaction?-1:(3600*24)));
+				$data2 = $stats->getAmountByMonthWithPrevYear($endyear,$startyear,(GETPOST('action','aZ09')==$refreshaction?-1:(3600*24)));
 				$datatype2 = array_pad(array(), ($endyear-$startyear+1), 'bars');
 				//$datatype2 = array('lines','bars');

--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@ -110,18 +110,18 @@ class Form
        }
        else
 		{
-            if (empty($notabletag) && GETPOST('action') != 'edit'.$htmlname && $perm) $ret.='<table class="nobordernopadding" width="100%"><tr><td class="nowrap">';
+            if (empty($notabletag) && GETPOST('action','aZ09') != 'edit'.$htmlname && $perm) $ret.='<table class="nobordernopadding" width="100%"><tr><td class="nowrap">';
 	        if ($fieldrequired) $ret.='<span class="fieldrequired">';
            $ret.=$langs->trans($text);
 	        if ($fieldrequired) $ret.='</span>';
 	        if (! empty($notabletag)) $ret.=' ';
-            if (empty($notabletag) && GETPOST('action') != 'edit'.$htmlname && $perm) $ret.='</td>';
-            if (empty($notabletag) && GETPOST('action') != 'edit'.$htmlname && $perm) $ret.='<td align="right">';
-            if ($htmlname && GETPOST('action') != 'edit'.$htmlname && $perm) $ret.='<a href="'.$_SERVER["PHP_SELF"].'?action=edit'.$htmlname.'&amp;id='.$object->id.$moreparam.'">'.img_edit($langs->trans('Edit'), ($notabletag ? 0 : 1)).'</a>';
+            if (empty($notabletag) && GETPOST('action','aZ09') != 'edit'.$htmlname && $perm) $ret.='</td>';
+            if (empty($notabletag) && GETPOST('action','aZ09') != 'edit'.$htmlname && $perm) $ret.='<td align="right">';
+            if ($htmlname && GETPOST('action','aZ09') != 'edit'.$htmlname && $perm) $ret.='<a href="'.$_SERVER["PHP_SELF"].'?action=edit'.$htmlname.'&amp;id='.$object->id.$moreparam.'">'.img_edit($langs->trans('Edit'), ($notabletag ? 0 : 1)).'</a>';
 	        if (! empty($notabletag) && $notabletag == 1) $ret.=' : ';
 	        if (! empty($notabletag) && $notabletag == 3) $ret.=' ';
-            if (empty($notabletag) && GETPOST('action') != 'edit'.$htmlname && $perm) $ret.='</td>';
-            if (empty($notabletag) && GETPOST('action') != 'edit'.$htmlname && $perm) $ret.='</tr></table>';
+            if (empty($notabletag) && GETPOST('action','aZ09') != 'edit'.$htmlname && $perm) $ret.='</td>';
+            if (empty($notabletag) && GETPOST('action','aZ09') != 'edit'.$htmlname && $perm) $ret.='</tr></table>';
        }

        return $ret;
@ -159,7 +159,7 @@ class Form
        }
        else
        {
-            if (GETPOST('action') == 'edit'.$htmlname)
+            if (GETPOST('action','aZ09') == 'edit'.$htmlname)
            {
                $ret.="\n";
                $ret.='<form method="post" action="'.$_SERVER["PHP_SELF"].($moreparam?'?'.$moreparam:'').'">';
--- a/htdocs/core/class/html.formfile.class.php
+++ b/htdocs/core/class/html.formfile.class.php
@ -994,7 +994,7 @@ class FormFile
 			if (empty($url)) $url=$_SERVER["PHP_SELF"];
 			
 			print '<!-- html.formfile::list_of_documents -->'."\n";
-			if (GETPOST('action') == 'editfile' && $permtoeditline)
+			if (GETPOST('action','aZ09') == 'editfile' && $permtoeditline)
 			{
 			    print '<form action="'.$_SERVER["PHP_SELF"].'?'.$param.'" method="POST">';
 			    print '<input type="hidden" name="action" value="renamefile">';
@ -1131,7 +1131,7 @@ class FormFile
 					print img_mime($file['name'],$file['name'].' ('.dol_print_size($file['size'],0,0).')').' ';
 					if ($showrelpart == 1) print $relativepath;
 					//print dol_trunc($file['name'],$maxlength,'middle');
-					if (GETPOST('action') == 'editfile' && $file['name'] == basename(GETPOST('urlfile')))
+					if (GETPOST('action','aZ09') == 'editfile' && $file['name'] == basename(GETPOST('urlfile')))
 					{
 					    print '</a>';
 					    print '<input type="hidden" name="renamefilefrom" value="'.dol_escape_htmltag($file['name']).'">';
@ -1268,7 +1268,7 @@ class FormFile
 				}
 			}				
 			
-			if (GETPOST('action') == 'editfile' && $permtoeditline)
+			if (GETPOST('action','aZ09') == 'editfile' && $permtoeditline)
 			{
 			    print '</form>';
 			}
--- a/htdocs/core/datepicker.php
+++ b/htdocs/core/datepicker.php
@ -39,7 +39,6 @@ if (! defined('NOREQUIREHTML'))   define('NOREQUIREHTML',1);
 require_once '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';

-if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang'));	// If language was forced on URL by the main.inc.php
 $langs->load("main");
 $langs->load("agenda");
 $right=($langs->trans("DIRECTION")=='rtl'?'left':'right');
--- a/htdocs/core/get_menudiv.php
+++ b/htdocs/core/get_menudiv.php
@ -47,7 +47,6 @@ if (! defined('DISABLE_SELECT2'))           define('DISABLE_SELECT2',1);

 require_once '../main.inc.php';

-if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang'));	// If language was forced on URL by the main.inc.php
 $langs->load("main");
 $right=($langs->trans("DIRECTION")=='rtl'?'left':'right');
 $left=($langs->trans("DIRECTION")=='rtl'?'right':'left');
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@ -240,7 +240,17 @@ function dol_shutdown()
 *  Return value of a param into GET or POST supervariable
 *
 *  @param	string	$paramname   Name of parameter to found
- *  @param	string	$check	     Type of check (''=no check, 'none'=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string), 'day', 'month', 'year', 'custom'= custom filter specify $filter and $options)
+ *  @param	string	$check	     Type of check
+ *                                  ''=no check (deprecated)
+ *                                  'none'=no check (only for param that should have very rich content)
+ *                                  'int'=check it's numeric
+ *                                  'alpha'=check it's text and sign
+ *                                  'aZ'=check it's a-z only
+ *                                  'aZ09'=check it's simple alpha string (recommended for keys)
+ *                                  'array'=check it's array
+ *                                  'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string)
+ *                                  'nohtml', 'alphanohtml'=check there is no html content
+ *                                  'custom'= custom filter specify $filter and $options)
 *  @param	int		$method	     Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie)
 *  @param  int     $filter      Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails)
 *  @param  mixed   $options     Options to pass to filter_var when $check is set to 'custom'.
@ -317,9 +327,14 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
 	    }
 	}	
 	
+	if (empty($check) && $conf->global->MAIN_FEATURES_LEVEL > 0)
+	{
+	   dol_syslog("A GETPOST is called with 1st param = ".$paramname." and 2nd param not defined, when calling page ".$_SERVER["PHP_SELF"], LOG_WARNING);    
+	}
+	
 	if (! empty($check))
 	{
-	    // Replace vars like __DAY__, __MONTH__, __YEAR__, __MYCOUNTRYID__, __USERID__, __ENTITYID__
+	    // Replace vars like __DAY__, __MONTH__, __YEAR__, __MYCOUNTRYID__, __USERID__, __ENTITYID__, ...
 	    if (! is_array($out))
 	    {
 	        $maxloop=20; $loopnb=0;    // Protection against infinite loop
@ -358,8 +373,11 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL)
 	        }
 	    }

+	    // Check is done after replacement
 	    switch ($check)
 	    {
+	        case 'none':
+	            break;
 	        case 'int':
 	            if (! is_numeric($out)) { $out=''; }
 	            break;
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@ -98,7 +98,7 @@ function dol_hash($chain,$type=0)

 /**
 *	Check permissions of a user to show a page and an object. Check read permission.
- * 	If GETPOST('action') defined, we also check write and delete permission.
+ * 	If GETPOST('action','aZ09') defined, we also check write and delete permission.
 *
 *	@param	User	$user      	  	User to check
 *	@param  string	$features	    Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
@ -207,7 +207,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu

    // Check write permission from module
    $createok=1; $nbko=0;
-    if (GETPOST("action")  == 'create')
+    if (GETPOST('action','aZ09')  == 'create')
    {
        foreach ($featuresarray as $feature)
        {
@ -262,7 +262,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu

    // Check create user permission
    $createuserok=1;
-    if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes')
+    if (GETPOST('action','aZ09') == 'confirm_create_user' && GETPOST("confirm") == 'yes')
    {
        if (! $user->rights->user->user->creer) $createuserok=0;

@ -272,7 +272,7 @@ function restrictedArea($user, $features, $objectid=0, $tableandshare='', $featu

    // Check delete permission from module
    $deleteok=1; $nbko=0;
-    if ((GETPOST("action")  == 'confirm_delete' && GETPOST("confirm") == 'yes') || GETPOST("action")  == 'delete')
+    if ((GETPOST('action','aZ09')  == 'confirm_delete' && GETPOST("confirm") == 'yes') || GETPOST('action','aZ09')  == 'delete')
    {
        foreach ($featuresarray as $feature)
        {
--- a/htdocs/core/lib/security2.lib.php
+++ b/htdocs/core/lib/security2.lib.php
@ -155,7 +155,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	$titletruedolibarrversion=constant('DOL_VERSION');	// $title used by login template after the @ to inform of true Dolibarr version

 	// Note: $conf->css looks like '/theme/eldy/style.css.php'
-	$conf->css = "/theme/".(GETPOST('theme')?GETPOST('theme','alpha'):$conf->theme)."/style.css.php";
+	$conf->css = "/theme/".(GETPOST('theme','alpha')?GETPOST('theme','alpha'):$conf->theme)."/style.css.php";
 	//$themepath=dol_buildpath((empty($conf->global->MAIN_FORCETHEMEDIR)?'':$conf->global->MAIN_FORCETHEMEDIR).$conf->css,1);
 	$themepath=dol_buildpath($conf->css,1);
 	if (! empty($conf->modules_parts['theme']))		// Using this feature slow down application
--- a/htdocs/core/lib/usergroups.lib.php
+++ b/htdocs/core/lib/usergroups.lib.php
@ -417,7 +417,7 @@ function show_theme($fuser,$edit=0,$foruserprofile=false)
    					$file=$dirtheme."/".$subdir."/thumb.png";
    					$url=$urltheme."/".$subdir."/thumb.png";
    					if (! file_exists($file)) $url=DOL_URL_ROOT.'/public/theme/common/nophoto.png';
-    					print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(GETPOST("optioncss")?'&optioncss='.GETPOST("optioncss",'alpha',1):'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
+    					print '<a href="'.$_SERVER["PHP_SELF"].($edit?'?action=edit&theme=':'?theme=').$subdir.(GETPOST('optioncss','alpha',1)?'&optioncss='.GETPOST('optioncss','alpha',1):'').($fuser?'&id='.$fuser->id:'').'" style="font-weight: normal;" alt="'.$langs->trans("Preview").'">';
    					if ($subdir == $conf->global->MAIN_THEME) $title=$langs->trans("ThemeCurrentlyActive");
    					else $title=$langs->trans("ShowPreview");
    					print '<img src="'.$url.'" border="0" width="80" height="60" alt="'.$title.'" title="'.$title.'" style="margin-bottom: 5px;">';
--- a/htdocs/core/menus/standard/auguria.lib.php
+++ b/htdocs/core/menus/standard/auguria.lib.php
@ -53,7 +53,7 @@ function print_auguria_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0,$m

 	if (empty($noout)) print_start_menu_array_auguria();

-	$usemenuhider = (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER));
+	$usemenuhider = (GETPOST('testmenuhider','int') || ! empty($conf->global->MAIN_TESTMENUHIDER));
 	
 	// Show/Hide vertical menu
 	if ($mode != 'jmobile' && $mode != 'topnb' && $usemenuhider && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
@ -248,7 +248,7 @@ function print_left_auguria_menu($db,$menu_array_before,$menu_array_after,&$tabM
 	$mainmenu=($forcemainmenu?$forcemainmenu:$_SESSION["mainmenu"]);
 	$leftmenu=($forceleftmenu?'':(empty($_SESSION["leftmenu"])?'none':$_SESSION["leftmenu"]));

-	$usemenuhider = (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER));
+	$usemenuhider = (GETPOST('testmenuhider','int') || ! empty($conf->global->MAIN_TESTMENUHIDER));
 	global $usemenuhider;
 	
 	// Show logo company
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@ -51,7 +51,7 @@ function print_eldy_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0,$mode

 	if (empty($noout)) print_start_menu_array();

-	$usemenuhider = (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER));
+	$usemenuhider = (GETPOST('testmenuhider','int') || ! empty($conf->global->MAIN_TESTMENUHIDER));
 	
 	// Show/Hide vertical menu
 	if ($mode != 'jmobile' && $mode != 'topnb' && $usemenuhider && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
@ -458,7 +458,7 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu
 	$mainmenu=($forcemainmenu?$forcemainmenu:$_SESSION["mainmenu"]);
 	$leftmenu=($forceleftmenu?'':(empty($_SESSION["leftmenu"])?'none':$_SESSION["leftmenu"]));

-	$usemenuhider = (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER));
+	$usemenuhider = (GETPOST('testmenuhider','int') || ! empty($conf->global->MAIN_TESTMENUHIDER));
 	
 	// Show logo company
 	if (empty($conf->global->MAIN_MENU_INVERT) && empty($noout) && ! empty($conf->global->MAIN_SHOW_LOGO) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
--- a/htdocs/core/menus/standard/empty.php
+++ b/htdocs/core/menus/standard/empty.php
@ -93,7 +93,7 @@ class MenuManager
 			$classname='class="tmenusel"';

 			// Show/Hide vertical menu
-			if ($mode != 'jmobile' && $mode != 'topnb' && (GETPOST('testmenuhider') || ! empty($conf->global->MAIN_TESTMENUHIDER)) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
+			if ($mode != 'jmobile' && $mode != 'topnb' && (GETPOST('testmenuhider','int') || ! empty($conf->global->MAIN_TESTMENUHIDER)) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
 			{
 			    $showmode=1;
 			    $classname = 'class="tmenu menuhider"';
--- a/htdocs/core/search_page.php
+++ b/htdocs/core/search_page.php
@ -35,7 +35,6 @@ if (! defined('NOREQUIREMENU'))  define('NOREQUIREMENU',1);

 require_once '../main.inc.php';

-if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang'));	// If language was forced on URL by the main.inc.php
 $langs->load("main");
 $right=($langs->trans("DIRECTION")=='rtl'?'left':'right');
 $left=($langs->trans("DIRECTION")=='rtl'?'right':'left');
--- a/htdocs/core/tpl/ajaxrow.tpl.php
+++ b/htdocs/core/tpl/ajaxrow.tpl.php
@ -31,7 +31,7 @@ $forcereloadpage=empty($conf->global->MAIN_FORCE_RELOAD_PAGE)?0:1;
 $tagidfortablednd=(empty($tagidfortablednd)?'tablelines':$tagidfortablednd);
 $filepath=(empty($filepath)?'':$filepath);

-if (GETPOST('action') != 'editline' && $nboflines > 1) { ?>
+if (GETPOST('action','aZ09') != 'editline' && $nboflines > 1) { ?>
 <script type="text/javascript">
 $(document).ready(function(){
 	$(".imgupforline").hide();
--- a/htdocs/core/tpl/notes.tpl.php
+++ b/htdocs/core/tpl/notes.tpl.php
@ -31,7 +31,7 @@ $value_private=$object->note_private;
 if (! empty($conf->global->MAIN_AUTO_TIMESTAMP_IN_PUBLIC_NOTES))
 {
 	$stringtoadd=dol_print_date(dol_now(), 'dayhour').' '.$user->getFullName($langs).' --';
-	if (GETPOST('action') == 'edit'.$note_public)
+	if (GETPOST('action','aZ09') == 'edit'.$note_public)
 	{
 		$value_public=dol_concatdesc($value_public, ($value_public?"\n":"")."-- ".$stringtoadd);
 		if (dol_textishtml($value_public)) $value_public.="<br>\n";
@ -41,7 +41,7 @@ if (! empty($conf->global->MAIN_AUTO_TIMESTAMP_IN_PUBLIC_NOTES))
 if (! empty($conf->global->MAIN_AUTO_TIMESTAMP_IN_PRIVATE_NOTES))
 {
 	$stringtoadd=dol_print_date(dol_now(), 'dayhour').' '.$user->getFullName($langs).' --';
-	if (GETPOST('action') == 'edit'.$note_private)
+	if (GETPOST('action','aZ09') == 'edit'.$note_private)
 	{
 		$value_private=dol_concatdesc($value_private, ($value_private?"\n":"")."-- ".$stringtoadd);
 		if (dol_textishtml($value_private)) $value_private.="<br>\n";
--- a/htdocs/document.php
+++ b/htdocs/document.php
@ -61,7 +61,7 @@ $action=GETPOST('action','alpha');
 $original_file=GETPOST('file','alpha');	// Do not use urldecode here ($_GET are already decoded by PHP).
 $modulepart=GETPOST('modulepart','alpha');
 $urlsource=GETPOST('urlsource','alpha');
-$entity=GETPOST('entity')?GETPOST('entity','int'):$conf->entity;
+$entity=GETPOST('entity','int')?GETPOST('entity','int'):$conf->entity;

 // Security check
 if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart');
@ -95,7 +95,7 @@ else $type=dol_mimetype($original_file);
 // Define attachment (attachment=true to force choice popup 'open'/'save as')
 $attachment = true;
 if (preg_match('/\.(html|htm)$/i',$original_file)) $attachment = false;
-if (isset($_GET["attachment"])) $attachment = GETPOST("attachment")?true:false;
+if (isset($_GET["attachment"])) $attachment = GETPOST("attachment",'alpha')?true:false;
 if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;

 // Security: Delete string ../ into $original_file
--- a/htdocs/don/payment/card.php
+++ b/htdocs/don/payment/card.php
@ -34,7 +34,7 @@ $langs->load('companies');

 // Security check
 $id=GETPOST('rowid')?GETPOST('rowid','int'):GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');
 if ($user->societe_id) $socid=$user->societe_id;
 // TODO Add rule to restrict access payment
--- a/htdocs/don/payment/payment.php
+++ b/htdocs/don/payment/payment.php
@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
 $langs->load("bills");

 $chid=GETPOST("rowid");
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $amounts = array();

 // Security check
@ -154,7 +154,7 @@ $form=new Form($db);


 // Form to create donation payment
-if (GETPOST("action") == 'create')
+if (GETPOST('action','aZ09') == 'create')
 {

 	$don = new Don($db);
--- a/htdocs/ecm/docfile.php
+++ b/htdocs/ecm/docfile.php
@ -62,7 +62,7 @@ if (! $sortorder) $sortorder="ASC";
 if (! $sortfield) $sortfield="label";

 $cancel=GETPOST('cancel');
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $section=GETPOST("section");
 if (! $section)
 {
@ -221,7 +221,7 @@ while ($tmpecmdir && $result > 0)
 print img_picto('','object_dir').' <a href="'.DOL_URL_ROOT.'/ecm/index.php">'.$langs->trans("ECMRoot").'</a> -> ';
 print $s;
 print ' -> ';
-if (GETPOST('action') == 'edit') print '<input type="text" name="label" class="quatrevingtpercent" value="'.$urlfile.'">';
+if (GETPOST('action','aZ09') == 'edit') print '<input type="text" name="label" class="quatrevingtpercent" value="'.$urlfile.'">';
 else print $urlfile;
 print '</td></tr>';
 /*print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td>';
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@ -49,7 +49,7 @@ $result = restrictedArea($user, 'ecm', 0);

 // Get parameters
 $socid=GETPOST('socid','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $section=GETPOST("section")?GETPOST("section","int"):GETPOST("section_id","int");
 $module=GETPOST("module");
 if (! $section) $section=0;
--- a/htdocs/ecm/index_auto.php
+++ b/htdocs/ecm/index_auto.php
@ -49,7 +49,7 @@ $result = restrictedArea($user, 'ecm', 0);

 // Get parameters
 $socid=GETPOST('socid','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $section=GETPOST("section")?GETPOST("section","int"):GETPOST("section_id","int");
 $module=GETPOST("module");
 if (! $section) $section=0;
--- a/htdocs/expensereport/card.php
+++ b/htdocs/expensereport/card.php
@ -45,7 +45,7 @@ $langs->load("trips");
 $langs->load("bills");
 $langs->load("mails");

-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $cancel=GETPOST('cancel');
 $confirm = GETPOST('confirm', 'alpha');

--- a/htdocs/expensereport/payment/card.php
+++ b/htdocs/expensereport/payment/card.php
@ -34,7 +34,7 @@ $langs->load('companies');

 // Security check
 $id=GETPOST('rowid')?GETPOST('rowid','int'):GETPOST('id','int');
-$action=GETPOST("action");
+$action=GETPOST('action','aZ09');
 $confirm=GETPOST('confirm');
 if ($user->societe_id) $socid=$user->societe_id;
 // TODO Add rule to restrict access payment
--- a/htdocs/expensereport/payment/payment.php
+++ b/htdocs/expensereport/payment/payment.php
@ -31,7 +31,7 @@ $langs->load("bills");
 $langs->load("banks");

 $chid=GETPOST("id");
-$action=GETPOST('action');
+$action=GETPOST('action','aZ09');
 $amounts = array();
 $accountid=GETPOST('accountid','int');

@ -174,7 +174,7 @@ $form=new Form($db);


 // Form to create expense report payment
-if (GETPOST("action") == 'create')
+if (GETPOST('action','aZ09') == 'create')
 {
 	$expensereport = new ExpenseReport($db);
 	$expensereport->fetch($chid);
--- a/htdocs/externalsite/frames.php
+++ b/htdocs/externalsite/frames.php
@ -38,7 +38,7 @@ $mainmenu=GETPOST('mainmenu', 'alpha');
 $leftmenu=GETPOST('leftmenu', 'alpha');
 $idmenu=GETPOST('idmenu', 'int');
 $theme=GETPOST('theme', 'alpha');
-$codelang=GETPOST('lang', 'alpha');
+$codelang=GETPOST('lang', 'aZ09');

 print "
 <html>
--- a/Show More
+++ b/Show More