diff --git a/htdocs/don/card.php b/htdocs/don/card.php
index 0ace5c88e76..f2e7ade706d 100644
--- a/htdocs/don/card.php
+++ b/htdocs/don/card.php
@@ -50,7 +50,7 @@ $cancel=GETPOST('cancel');
 $amount=GETPOST('amount');
 $donation_date=dol_mktime(12, 0, 0, GETPOST('remonth'), GETPOST('reday'), GETPOST('reyear'));
 $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);
-    
+
 $object = new Don($db);
 $extrafields = new ExtraFields($db);
 
@@ -316,17 +316,17 @@ if ($action == 'create')
 	print '</td>';
 
     // Amount
-    print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" value="'.GETPOST("amount").'" size="10"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
+    print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" value="'.dol_escape_htmltag(GETPOST("amount")).'" size="10"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
 
 	print '<tr><td class="fieldrequired">'.$langs->trans("PublicDonation")."</td><td>";
 	print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1);
 	print "</td></tr>\n";
 
-	print "<tr>".'<td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" value="'.GETPOST("societe").'" size="40"></td></tr>';
-	print "<tr>".'<td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" value="'.GETPOST("lastname").'" size="40"></td></tr>';
-	print "<tr>".'<td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" value="'.GETPOST("firstname").'" size="40"></td></tr>';
+	print "<tr>".'<td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" value="'.dol_escape_htmltag(GETPOST("societe")).'" size="40"></td></tr>';
+	print "<tr>".'<td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" value="'.dol_escape_htmltag(GETPOST("lastname")).'" size="40"></td></tr>';
+	print "<tr>".'<td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" value="'.dol_escape_htmltag(GETPOST("firstname")).'" size="40"></td></tr>';
 	print "<tr>".'<td>'.$langs->trans("Address").'</td><td>';
-	print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="3">'.GETPOST("address").'</textarea></td></tr>';
+	print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="3">'.dol_escape_htmltag(GETPOST("address")).'</textarea></td></tr>';
 
     // Zip / Town
     print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
@@ -341,7 +341,7 @@ if ($action == 'create')
     if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1);
     print '</td></tr>';
 
-	print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" value="'.GETPOST("email").'" size="40"></td></tr>';
+	print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" value="'.dol_escape_htmltag(GETPOST("email")).'" size="40"></td></tr>';
 
 	// Public note
 	print '<tr>';
@@ -384,9 +384,9 @@ if ($action == 'create')
 	dol_fiche_end();
 
 	print '<div class="center">';
-	print '<input type="submit" class="button" name="save" value="'.$langs->trans("Save").'">';
+	print '<input type="submit" class="button" name="save" value="'.dol_escape_htmltag($langs->trans("Save")).'">';
 	print '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
-	print '<input type="button" class="button" value="' . $langs->trans("Cancel") . '" onClick="javascript:history.go(-1)">';
+	print '<input type="button" class="button" value="'.dol_escape_htmltag($langs->trans("Cancel")).'" onClick="javascript:history.go(-1)">';
 	print '</div>';
 
 	print "</form>\n";
@@ -438,7 +438,7 @@ if (! empty($id) && $action == 'edit')
 	// Amount
 	if ($object->statut == 0)
 	{
-		print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" size="10" value="'.$object->amount.'"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
+		print "<tr>".'<td class="fieldrequired">'.$langs->trans("Amount").'</td><td><input type="text" name="amount" size="10" value="'.dol_escape_htmltag($object->amount).'"> '.$langs->trans("Currency".$conf->currency).'</td></tr>';
 	}
 	else
 	{
@@ -453,11 +453,11 @@ if (! empty($id) && $action == 'edit')
 	print "</tr>\n";
 
 	$langs->load("companies");
-	print '<tr><td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.$object->societe.'"></td></tr>';
-	print '<tr><td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.$object->lastname.'"></td></tr>';
-	print '<tr><td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.$object->firstname.'"></td></tr>';
+	print '<tr><td>'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.dol_escape_htmltag($object->societe).'"></td></tr>';
+	print '<tr><td>'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.dol_escape_htmltag($object->lastname).'"></td></tr>';
+	print '<tr><td>'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.dol_escape_htmltag($object->firstname).'"></td></tr>';
 	print '<tr><td>'.$langs->trans("Address").'</td><td>';
-	print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_3.'">'.$object->address.'</textarea></td></tr>';
+	print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="'.ROWS_3.'">'.dol_escape_htmltag($object->address).'</textarea></td></tr>';
 
     // Zip / Town
     print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
@@ -472,7 +472,7 @@ if (! empty($id) && $action == 'edit')
 	if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1);
 	print '</td></tr>';
 
-	print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" size="40" value="'.$object->email.'"></td></tr>';
+	print "<tr>".'<td>'.$langs->trans("EMail").'</td><td><input type="text" name="email" size="40" value="'.dol_escape_htmltag($object->email).'"></td></tr>';
 
     print "<tr><td>".$langs->trans("PaymentMode")."</td><td>\n";
 
@@ -544,9 +544,9 @@ if (! empty($id) && $action != 'edit')
 
 	// Print form confirm
 	print $formconfirm;
-	
+
 	$linkback = '<a href="'.DOL_URL_ROOT.'/don/list.php'.(! empty($socid)?'?socid='.$socid:'').'">'.$langs->trans("BackToList").'</a>';
-	
+
 	$morehtmlref='<div class="refidno">';
 	// Project
 	if (! empty($conf->projet->enabled))
@@ -581,8 +581,8 @@ if (! empty($id) && $action != 'edit')
 	    }
 	}
 	$morehtmlref.='</div>';
-	
-	
+
+
     dol_banner_tab($object, 'rowid', $linkback, 1, 'rowid', 'ref', $morehtmlref);
 
 
@@ -592,13 +592,6 @@ if (! empty($id) && $action != 'edit')
 
     print '<table class="border" width="100%">';
 
-	// Ref
-	/*
-	print '<tr><td class="titlefield">'.$langs->trans("Ref").'</td><td colspan="2">';
-	print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', '');
-	print '</td>';
-	print '</tr>';
-    */
 	// Date
 	print '<tr><td class="titlefield">'.$langs->trans("Date").'</td><td colspan="2">';
 	print dol_print_date($object->date,"day");
@@ -615,52 +608,12 @@ if (! empty($id) && $action != 'edit')
 	print '<tr><td>'.$langs->trans("Company").'</td><td colspan="2">'.$object->societe.'</td></tr>';
 	print '<tr><td>'.$langs->trans("Lastname").'</td><td colspan="2">'.$object->lastname.'</td></tr>';
 	print '<tr><td>'.$langs->trans("Firstname").'</td><td colspan="2">'.$object->firstname.'</td></tr>';
-	/*print '<tr><td>'.$langs->trans("Address").'</td><td>'.dol_nl2br($object->address).'</td>';
 
-	// Zip / Town
-	print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
-	print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'</td></tr>';
-	
-	// Country
-	print '<tr><td>'.$langs->trans('Country').'</td><td>';
-	if (! empty($object->country_code))
-	{
-	    $img=picto_from_langcode($object->country_code);
-	    print ($img?$img.' ':'');
-	    print $object->country;
-	}
-	else
-	{
-	    print $object->country_olddata;
-	}
-	print '</td></tr>';
-	
-	// EMail
-	print "<tr>".'<td>'.$langs->trans("EMail").'</td><td>'.dol_print_email($object->email).'</td></tr>';
-	*/
-	
 	// Payment mode
 	print "<tr><td>".$langs->trans("PaymentMode")."</td><td>";
 	$form->form_modes_reglement(null, $object->modepaymentid,'none');
 	print "</td></tr>\n";
-	
-	//print "<tr>".'<td>'.$langs->trans("Status").'</td><td>'.$object->getLibStatut(4).'</td></tr>';
-	
-	// Project
-	/*
-	if (! empty($conf->projet->enabled))
-	{
-	    print '<tr>';
-	    print '<td>'.$langs->trans("Project").'</td>';
-	    print '<td>';
-	    $projettmp=new Project($db);
-	    $projettmp->id=$object->fk_projet;
-	    $projettmp->ref=$object->project;
-	    if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1);
-	    print '</td>';
-	    print '</tr>';
-	}*/
-	
+
 	// Other attributes
 	$cols = 2;
 	include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php';
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index 9523d489256..90db40fd2e7 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -138,7 +138,7 @@ if($year_start > 0) {
     }
 } else {
     if($month_start > 0) {
-        $filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'";
+        $filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'";
     }
 }
 
@@ -153,7 +153,7 @@ if($year_end > 0) {
     }
 } else {
     if($month_end > 0) {
-        $filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'";
+        $filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'";
     }
 }
 
@@ -368,13 +368,13 @@ print '<td class="liste_titre">&nbsp;</td>';
 
 // DATE DEBUT
 print '<td class="liste_titre" align="center">';
-print '<input class="flat" type="text" size="1" maxlength="2" name="month_start" value="'.$month_start.'">';
+print '<input class="flat" type="text" size="1" maxlength="2" name="month_start" value="'.dol_escape_htmltag($month_start).'">';
 $formother->select_year($year_start,'year_start',1, $min_year, $max_year);
 print '</td>';
 
 // DATE FIN
 print '<td class="liste_titre" align="center">';
-print '<input class="flat" type="text" size="1" maxlength="2" name="month_end" value="'.$month_end.'">';
+print '<input class="flat" type="text" size="1" maxlength="2" name="month_end" value="'.dol_escape_htmltag($month_end).'">';
 $formother->select_year($year_end,'year_end',1, $min_year, $max_year);
 print '</td>';
 

'.$langs->trans("Ref").'	'; - print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', ''); - print '
'.$langs->trans("Date").'	'; print dol_print_date($object->date,"day"); @@ -615,52 +608,12 @@ if (! empty($id) && $action != 'edit') print '
'.$langs->trans("Company").'	'.$object->societe.'
'.$langs->trans("Lastname").'	'.$object->lastname.'
'.$langs->trans("Firstname").'	'.$object->firstname.'
'.$langs->trans("Address").'	'.dol_nl2br($object->address).'
'.$langs->trans("Zip").' / '.$langs->trans("Town").'	'; - print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'
'.$langs->trans('Country').'	'; - if (! empty($object->country_code)) - { - $img=picto_from_langcode($object->country_code); - print ($img?$img.' ':''); - print $object->country; - } - else - { - print $object->country_olddata; - } - print '
'.$langs->trans("EMail").'	'.dol_print_email($object->email).'
".$langs->trans("PaymentMode")."	"; $form->form_modes_reglement(null, $object->modepaymentid,'none'); print "
'.$langs->trans("Status").'	'.$object->getLibStatut(4).'
'.$langs->trans("Project").'	'; - $projettmp=new Project($db); - $projettmp->id=$object->fk_projet; - $projettmp->ref=$object->project; - if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1); - print '
	'; -print ''; +print ''; $formother->select_year($year_start,'year_start',1, $min_year, $max_year); print '	'; -print ''; +print ''; $formother->select_year($year_end,'year_end',1, $min_year, $max_year); print '