From 7c78c894de77a52d4b16c0cbd7034b635a1616a2 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 9 May 2012 17:44:52 +0200
Subject: [PATCH] Fix: Not escaped html value

---
 htdocs/core/lib/admin.lib.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php
index bee8f11d60a..fa963f792ff 100644
--- a/htdocs/core/lib/admin.lib.php
+++ b/htdocs/core/lib/admin.lib.php
@@ -481,7 +481,6 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not
 
         //print "sql".$value."-".pg_escape_string($value)."-".$sql;exit;
         //print "xx".$db->escape($value);
-        //print $sql;exit;
         dol_syslog("admin.lib::dolibarr_set_const sql=".$sql, LOG_DEBUG);
         $resql=$db->query($sql);
     }
@@ -1038,7 +1037,7 @@ function form_constantes($tableau)
             print '<input type="hidden" name="action" value="update">';
             print '<input type="hidden" name="rowid" value="'.$obj->rowid.'">';
             print '<input type="hidden" name="constname" value="'.$const.'">';
-            print '<input type="hidden" name="constnote" value="'.nl2br($obj->note).'">';
+            print '<input type="hidden" name="constnote" value="'.nl2br(dol_escape_htmltag($obj->note)).'">';
 
             print $langs->trans("Desc".$const) != ("Desc".$const) ? $langs->trans("Desc".$const) : ($obj->note?$obj->note:$const);