diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index d567489c2f1..50ff91a6508 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -752,7 +752,8 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 				$out = trim($out);
 				do {
 					$oldstringtoclean = $out;
-					$out = str_ireplace(array('"', '"', '../'), '', $out);
+					// Note &#38, '&#0000038', '&#x26'... is a simple char like '&' alone but there is no reason to accept such way to encode input data.
+					$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#x2F', '../'), '', $out);
 				} while ($oldstringtoclean != $out);
 				// keep lines feed
 			}
@@ -765,7 +766,8 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 				$out = trim($out);
 				do {
 					$oldstringtoclean = $out;
-					$out = str_ireplace(array('"', '"', '../'), '', $out);
+					// Note &#38, '&#0000038', '&#x26'... is a simple char like '&' alone but there is no reason to accept such way to encode input data.
+					$out = str_ireplace(array('&#38', '&#0000038', '&#x26', '&quot', '&#34', '&#0000034', '&#x22', '"', '&#47', '&#0000047', '&#x2F', '../'), '', $out);
 				} while ($oldstringtoclean != $out);
 			}
 			break;