From 7c7a1b5512f285c263c51e227f1e9c0191dde98a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Wed, 4 Nov 2020 09:45:02 +0100
Subject: [PATCH 1/3] Update functions.lib.php

---
 htdocs/core/lib/functions.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 19d9c039736..43588ba0d0e 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -659,11 +659,11 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
 			break;
 		case 'alpha':		// No html and no " and no ../
 		case 'alphanohtml':	// Recommended for most scalar parameters and search parameters
-			if (!is_array($out))
-			{
+			if (!is_array($out)) {
 				// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
 				// '../' is dangerous because it allows dir transversals
 				$out = str_replace(array('&quot;', '"', '../'), '', trim($out));
+				// keep lines feed
 				$out = dol_string_nohtmltag($out, 0);
 			}
 			break;

From 7d878d47fac1689659794b507574f93991452e97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Wed, 4 Nov 2020 09:50:36 +0100
Subject: [PATCH 2/3] Update card.php

---
 htdocs/societe/card.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php
index f16779148d3..b047e78eccc 100644
--- a/htdocs/societe/card.php
+++ b/htdocs/societe/card.php
@@ -1288,7 +1288,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action))
 		print '</td>';
 		print '<td colspan="3">';
 		print '<textarea name="address" id="address" class="quatrevingtpercent" rows="'.ROWS_2.'" wrap="soft">';
-		print dol_escape_htmltag($object->address);
+		print dol_escape_htmltag($object->address, 0, 1, 'common');
 		print '</textarea>';
 		print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent');
 		print '</td></tr>';
@@ -1889,7 +1889,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action))
 			// Address
 			print '<tr><td class="tdtop">'.$form->editfieldkey('Address', 'address', '', $object, 0).'</td>';
 			print '<td colspan="3"><textarea name="address" id="address" class="quatrevingtpercent" rows="3" wrap="soft">';
-			print dol_escape_htmltag($object->address);
+			print dol_escape_htmltag($object->address, 0, 1, 'common');
 			print '</textarea>';
 			print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent');
 			print '</td></tr>';

From bd596965ef6ce9b0cc9753d811314dc418668c54 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 4 Nov 2020 18:54:56 +0100
Subject: [PATCH 3/3] Update card.php

---
 htdocs/societe/card.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php
index b047e78eccc..ea560ae650b 100644
--- a/htdocs/societe/card.php
+++ b/htdocs/societe/card.php
@@ -1288,7 +1288,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action))
 		print '</td>';
 		print '<td colspan="3">';
 		print '<textarea name="address" id="address" class="quatrevingtpercent" rows="'.ROWS_2.'" wrap="soft">';
-		print dol_escape_htmltag($object->address, 0, 1, 'common');
+		print dol_escape_htmltag($object->address, 0, 1);
 		print '</textarea>';
 		print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent');
 		print '</td></tr>';
@@ -1889,7 +1889,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action))
 			// Address
 			print '<tr><td class="tdtop">'.$form->editfieldkey('Address', 'address', '', $object, 0).'</td>';
 			print '<td colspan="3"><textarea name="address" id="address" class="quatrevingtpercent" rows="3" wrap="soft">';
-			print dol_escape_htmltag($object->address, 0, 1, 'common');
+			print dol_escape_htmltag($object->address, 0, 1);
 			print '</textarea>';
 			print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent');
 			print '</td></tr>';