From 92a4314779f7c33994779670820dfe33849b75ba Mon Sep 17 00:00:00 2001
From: ATM john <john.botella@atm-consulting.fr>
Date: Wed, 6 Jan 2021 10:45:54 +0100
Subject: [PATCH] Fix security mecanism generating data loss

---
 htdocs/core/lib/functions.lib.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index c6fd80f72d0..fccb019a730 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -602,6 +602,7 @@ function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $opti
 				$out = trim($out);
 				// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
 				// '../' is dangerous because it allows dir transversals
+				$out = str_replace('"', "''", trim($out));
 				if (preg_match('/"/', $out)) $out = '';
 				elseif (preg_match('/\.\.\//', $out)) $out = '';
 				$out = dol_string_nohtmltag($out);