diff --git a/htdocs/admin/tools/index.php b/htdocs/admin/tools/index.php
index 8da041d05da..b8dfad44e8f 100644
--- a/htdocs/admin/tools/index.php
+++ b/htdocs/admin/tools/index.php
@@ -38,7 +38,7 @@ if (! $user->admin)
 $form = new Form($db);
 
 $title=$langs->trans("SystemToolsArea");
-if (GETPOST('leftmenu') == 'admintools') $title=$langs->trans("ModulesSystemTools");
+if (GETPOST('leftmenu',"aZ09") == 'admintools') $title=$langs->trans("ModulesSystemTools");
 
 llxHeader('', $title);
 
diff --git a/htdocs/bookmarks/bookmarks.lib.php b/htdocs/bookmarks/bookmarks.lib.php
index 3cee534e797..e6d3125abed 100644
--- a/htdocs/bookmarks/bookmarks.lib.php
+++ b/htdocs/bookmarks/bookmarks.lib.php
@@ -40,7 +40,7 @@ function printBookmarksList($aDb, $aLangs)
 
 	$langs->load("bookmarks");
 
-	$url= $_SERVER["PHP_SELF"].(! empty($_SERVER["QUERY_STRING"])?'?'.$_SERVER["QUERY_STRING"]:'');
+	$url= $_SERVER["PHP_SELF"].(dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'');
 
 	$ret = '';
 	// Menu bookmark
diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php
index 28f78e22ef4..bbc7647c802 100644
--- a/htdocs/core/ajax/ajaxdirpreview.php
+++ b/htdocs/core/ajax/ajaxdirpreview.php
@@ -139,7 +139,7 @@ if (! dol_is_dir($upload_dir))
 }
 
 print '<!-- ajaxdirpreview type='.$type.' -->'."\n";
-print '<!-- Page called with mode='.(isset($mode)?$mode:'').' type='.$type.' module='.$module.' url='.$url.' '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Page called with mode='.dol_escape_htmltag(isset($mode)?$mode:'').' type='.dol_escape_htmltag($type).' module='.dol_escape_htmltag($module).' url='.dol_escape_htmltag($url).' '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 $param=($sortfield?'&sortfield='.$sortfield:'').($sortorder?'&sortorder='.$sortorder:'');
 
diff --git a/htdocs/core/ajax/bankconciliate.php b/htdocs/core/ajax/bankconciliate.php
index 3a8a3e30687..76ab3045f93 100644
--- a/htdocs/core/ajax/bankconciliate.php
+++ b/htdocs/core/ajax/bankconciliate.php
@@ -45,7 +45,7 @@ $action=GETPOST('action');
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $action == 'dvnext')
 {
diff --git a/htdocs/core/ajax/box.php b/htdocs/core/ajax/box.php
index 63f96a0c513..106822f998b 100644
--- a/htdocs/core/ajax/box.php
+++ b/htdocs/core/ajax/box.php
@@ -50,7 +50,7 @@ $userid=GETPOST('userid','int');
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Add a box
 if ($boxid > 0 && $zone !='' && $userid > 0)
diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php
index 331a5e87513..f79753260d7 100644
--- a/htdocs/core/ajax/constantonoff.php
+++ b/htdocs/core/ajax/constantonoff.php
@@ -45,7 +45,7 @@ $name=GETPOST('name','alpha');
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Registering the location of boxes
 if (! empty($action) && ! empty($name))
diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php
index c3788a8baeb..1c7c7a56e4b 100644
--- a/htdocs/core/ajax/contacts.php
+++ b/htdocs/core/ajax/contacts.php
@@ -41,20 +41,20 @@ $showempty	= GETPOST('showempty','int');
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Load original field value
 if (! empty($id) && ! empty($action) && ! empty($htmlname))
 {
 	$form = new Form($db);
-	
+
 	$return=array();
 	if (empty($showempty)) $showempty=0;
-	
+
 	$return['value']	= $form->selectcontacts($id,'',$htmlname,$showempty,'','',0,'',true);
 	$return['num']		= $form->num;
 	$return['error']	= $form->error;
-	
+
 	echo json_encode($return);
 }
 
diff --git a/htdocs/core/ajax/extraparams.php b/htdocs/core/ajax/extraparams.php
index 510ef8a1cf8..f8a636e52a5 100644
--- a/htdocs/core/ajax/extraparams.php
+++ b/htdocs/core/ajax/extraparams.php
@@ -40,17 +40,17 @@ $type = GETPOST('type', 'alpha');
 
 top_httphead();
 
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
 {
 	$value = GETPOST('value','alpha');
 	$params=array();
-	
+
 	dol_syslog("AjaxSetExtraParameters id=".$id." element=".$element." htmlelement=".$htmlelement." type=".$type." value=".$value, LOG_DEBUG);
-	
+
 	$classpath = $subelement = $element;
-	
+
 	// For compatibility
 	if ($element == 'order' || $element == 'commande')    { $classpath = $subelement = 'commande'; }
 	else if ($element == 'propal')				{ $classpath = 'comm/propal'; $subelement = 'propal'; }
@@ -60,19 +60,19 @@ if(! empty($id) && ! empty($element) && ! empty($htmlelement) && ! empty($type))
 	else if ($element == 'deplacement')			{ $classpath = 'compta/deplacement'; $subelement = 'deplacement'; }
 	else if ($element == 'order_supplier')		{ $classpath = 'fourn'; $subelement = 'fournisseur.commande'; }
 	else if ($element == 'invoice_supplier')	{ $classpath = 'fourn'; $subelement = 'fournisseur.facture'; }
-	
+
 	dol_include_once('/'.$classpath.'/class/'.$subelement.'.class.php');
-	
+
 	if ($element == 'order_supplier')			{ $classname = 'CommandeFournisseur'; }
 	else if ($element == 'invoice_supplier')	{ $classname = 'FactureFournisseur'; }
 	else $classname = ucfirst($subelement);
-	
+
 	$object	= new $classname($db);
 	$object->fetch($id);
-	
+
 	$params[$htmlelement] = array($type => $value);
 	$object->extraparams = array_merge($object->extraparams, $params);
-	
+
 	$result=$object->setExtraParameters();
 }
 
diff --git a/htdocs/core/ajax/loadinplace.php b/htdocs/core/ajax/loadinplace.php
index de3a4e57d19..7e9e541c768 100644
--- a/htdocs/core/ajax/loadinplace.php
+++ b/htdocs/core/ajax/loadinplace.php
@@ -41,7 +41,7 @@ $fk_element		= GETPOST('fk_element','alpha');
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Load original field value
 if (! empty($field) && ! empty($element) && ! empty($table_element) && ! empty($fk_element))
diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php
index 6ac5abd3bbb..37173ed9943 100644
--- a/htdocs/core/ajax/objectonoff.php
+++ b/htdocs/core/ajax/objectonoff.php
@@ -42,7 +42,7 @@ $object = new GenericObject($db);
 
 top_httphead();
 
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Registering new values
 if (($action == 'set') && ! empty($id))
diff --git a/htdocs/core/ajax/price.php b/htdocs/core/ajax/price.php
index 5c891df14d5..d4a101fb497 100644
--- a/htdocs/core/ajax/price.php
+++ b/htdocs/core/ajax/price.php
@@ -39,7 +39,7 @@ $tva_tx		= str_replace('*','',GETPOST('tva_tx','alpha'));
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Load original field value
 if (! empty($output) && isset($amount) && isset($tva_tx))
diff --git a/htdocs/core/ajax/row.php b/htdocs/core/ajax/row.php
index 41d411f01fd..827ee92d525 100644
--- a/htdocs/core/ajax/row.php
+++ b/htdocs/core/ajax/row.php
@@ -17,8 +17,8 @@
 
 /**
  *       \file       htdocs/core/ajax/row.php
- *       \brief      File to return Ajax response on Row move. 
- *                   This ajax page is called when doing an up or down drag and drop. 
+ *       \brief      File to return Ajax response on Row move.
+ *                   This ajax page is called when doing an up or down drag and drop.
  */
 
 if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disable token renewal
@@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php';
 
 top_httphead();
 
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Registering the location of boxes
 if ((isset($_POST['roworder']) && ! empty($_POST['roworder'])) && (isset($_POST['table_element_line']) && ! empty($_POST['table_element_line']))
diff --git a/htdocs/core/ajax/saveinplace.php b/htdocs/core/ajax/saveinplace.php
index 48797dd0432..eb04379a778 100644
--- a/htdocs/core/ajax/saveinplace.php
+++ b/htdocs/core/ajax/saveinplace.php
@@ -54,7 +54,7 @@ savemethodname:
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 //print_r($_POST);
 
 // Load original field value
diff --git a/htdocs/core/ajax/security.php b/htdocs/core/ajax/security.php
index 28a53a87679..cc7335618d0 100644
--- a/htdocs/core/ajax/security.php
+++ b/htdocs/core/ajax/security.php
@@ -17,8 +17,8 @@
 
 /**
  *       \file       htdocs/core/ajax/security.php
- *       \brief      This ajax component is used to generated has keys for security purposes 
- *                   like key to use into URL to protect them. 
+ *       \brief      This ajax component is used to generated has keys for security purposes
+ *                   like key to use into URL to protect them.
  */
 
 if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Disables token renewal
@@ -38,7 +38,7 @@ require '../../main.inc.php';
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Registering the location of boxes
 if (isset($_GET['action']) && ! empty($_GET['action']))
diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php
index fc30a13afec..ac9691bfa25 100644
--- a/htdocs/core/ajax/vatrates.php
+++ b/htdocs/core/ajax/vatrates.php
@@ -41,7 +41,7 @@ $productid	= (GETPOST('productid','int')?GETPOST('productid','int'):0);
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Load original field value
 if (! empty($id) && ! empty($action) && ! empty($htmlname))
diff --git a/htdocs/core/ajax/ziptown.php b/htdocs/core/ajax/ziptown.php
index 30e0211ece1..9fa475039d9 100644
--- a/htdocs/core/ajax/ziptown.php
+++ b/htdocs/core/ajax/ziptown.php
@@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 dol_syslog("GET is ".join(',',$_GET).', MAIN_USE_ZIPTOWN_DICTIONNARY='.(empty($conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY)?'':$conf->global->MAIN_USE_ZIPTOWN_DICTIONNARY));
 //var_dump($_GET);
diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php
index 98720d335b9..1771b6f7a4c 100644
--- a/htdocs/core/class/html.formother.class.php
+++ b/htdocs/core/class/html.formother.class.php
@@ -1062,7 +1062,7 @@ class FormOther
 	        			async: false
 	        		});
 	        		// We force reload to be sure to get all boxes into list
-	        		window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=delbox\';
+	        		window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=delbox\';
 	        	}
 	        	else
 	        	{
@@ -1084,7 +1084,7 @@ class FormOther
 	    					url: \''.DOL_URL_ROOT.'/core/ajax/box.php?boxorder=\'+boxorder+\'&boxid=\'+boxid+\'&zone='.$areacode.'&userid='.$user->id.'\',
 	    			        async: false
 	    		        });
-	        			window.location.search=\'mainmenu='.GETPOST("mainmenu").'&leftmenu='.GETPOST('leftmenu').'&action=addbox&boxid=\'+boxid;
+	        			window.location.search=\'mainmenu='.GETPOST("mainmenu","aZ09").'&leftmenu='.GETPOST('leftmenu',"aZ09").'&action=addbox&boxid=\'+boxid;
 	                }
 	        	});';
 	        	if (! count($arrayboxtoactivatelabel)) $selectboxlist.='jQuery("#boxcombo").hide();';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 97ce3c4f698..f9f9c8557ee 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -289,9 +289,6 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
 	        case 'intcomma':
 	            if (preg_match('/[^0-9,]+/i',$out)) $out='';
 	            break;
-	        case 'intcomma':
-	            if (preg_match('/[^0-9,]+/i',$out)) $out='';
-	            break;
 	        case 'alpha':
 	            $out=trim($out);
 	            // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
@@ -2931,8 +2928,8 @@ function dol_print_error($db='',$error='',$errors=null)
 		$out.="<b>".$langs->trans("Referer").":</b> ".(isset($_SERVER["HTTP_REFERER"])?dol_htmlentities($_SERVER["HTTP_REFERER"],ENT_COMPAT,'UTF-8'):'')."<br>\n";
 		$out.="<b>".$langs->trans("MenuManager").":</b> ".(isset($conf->standard_menu)?$conf->standard_menu:'')."<br>\n";
 		$out.="<br>\n";
-		$syslog.="url=".$_SERVER["REQUEST_URI"];
-		$syslog.=", query_string=".$_SERVER["QUERY_STRING"];
+		$syslog.="url=".dol_escape_htmltag($_SERVER["REQUEST_URI"]);
+		$syslog.=", query_string=".dol_escape_htmltag($_SERVER["QUERY_STRING"]);
 	}
 	else                              // Mode CLI
 	{
diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php
index fc05e2c9194..8c16ae8309a 100644
--- a/htdocs/core/lib/security2.lib.php
+++ b/htdocs/core/lib/security2.lib.php
@@ -144,10 +144,6 @@ function dol_loginfunction($langs,$conf,$mysoc)
 
 	$dol_url_root = DOL_URL_ROOT;
 
-	$php_self = $_SERVER['PHP_SELF'];
-	$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
-	if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
-
 	// Title
 	$appli=constant('DOL_APPLICATION_TITLE');
 	$title=$appli.' '.DOL_VERSION;
@@ -422,7 +418,7 @@ function encodedecode_dbpassconf($level=0)
 			fflush($fp);
 			fclose($fp);
 			clearstatcache();
-			
+
 			// It's config file, so we set read permission for creator only.
 			// Should set permission to web user and groups for users used by batch
 			//@chmod($file, octdec('0600'));
diff --git a/htdocs/core/tpl/ajax/fileupload_main.tpl.php b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
index b7437af4616..034e9ebc3fc 100644
--- a/htdocs/core/tpl/ajax/fileupload_main.tpl.php
+++ b/htdocs/core/tpl/ajax/fileupload_main.tpl.php
@@ -45,7 +45,7 @@ $(function () {
 	// Events
 	$('#fileupload').fileupload({
 		stop: function (e, data) {
-			location.href='<?php echo $_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"]; ?>';
+			location.href='<?php echo dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]); ?>';
 		},
 		destroy: function (e, data) {
 			var that = $(this).data('fileupload');
diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php
index 3772b44c9fc..608e508d717 100644
--- a/htdocs/core/tpl/login.tpl.php
+++ b/htdocs/core/tpl/login.tpl.php
@@ -31,6 +31,10 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
 // If we force to use jmobile, then we reenable javascript
 if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
 
+$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
+$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
+if (! preg_match('/mainmenu=/',$php_self)) $php_self.=(preg_match('/\?/',$php_self)?'&':'?').'mainmenu=home';
+
 // Javascript code on logon page only to detect user tz, dst_observed, dst_first, dst_second
 $arrayofjs=array(
 	'/includes/jstz/jstz.min.js'.(empty($conf->dol_use_jmobile)?'':'?version='.urlencode(DOL_VERSION)),
@@ -80,7 +84,7 @@ $(document).ready(function () {
 <tr class="vmenu"><td class="center">
 <?php
 if ($disablenofollow) echo '<a class="login_table_title" href="https://www.dolibarr.org" target="_blank">';
-echo dol_escape_htmltag($title); 
+echo dol_escape_htmltag($title);
 if ($disablenofollow) echo '</a>';
 ?>
 </td></tr>
diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php
index b641627b789..c05916d55a7 100644
--- a/htdocs/core/tpl/passwordforgotten.tpl.php
+++ b/htdocs/core/tpl/passwordforgotten.tpl.php
@@ -28,6 +28,9 @@ if (GETPOST('dol_use_jmobile')) $conf->dol_use_jmobile=1;
 // If we force to use jmobile, then we reenable javascript
 if (! empty($conf->dol_use_jmobile)) $conf->use_javascript_ajax=1;
 
+$php_self = dol_escape_htmltag($_SERVER['PHP_SELF']);
+$php_self.= dol_escape_htmltag($_SERVER["QUERY_STRING"])?'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]):'';
+
 print top_htmlhead('',$langs->trans('SendNewPassword'));
 ?>
 <!-- BEGIN PHP TEMPLATE PASSWORDFORGOTTEN.TPL.PHP -->
@@ -94,7 +97,7 @@ if (! empty($hookmanager->resArray['options'])) {
 }
 ?>
 
-<?php if ($captcha) { 
+<?php if ($captcha) {
 		// Add a variable param to force not using cache (jmobile)
 		$php_self = preg_replace('/[&\?]time=(\d+)/','',$php_self);	// Remove param time
 		if (preg_match('/\?/',$php_self)) $php_self.='&time='.dol_print_date(dol_now(),'dayhourlog');
@@ -129,7 +132,7 @@ if (! empty($hookmanager->resArray['options'])) {
 <div id="login_line2" style="clear: both">
 
 <!-- Button Send password -->
-<br><input id="password" type="submit" <?php echo $disabled; ?> class="button" name="password" value="<?php echo $langs->trans('SendNewPassword'); ?>" tabindex="4" />
+<br><input type="submit" <?php echo $disabled; ?> class="button" name="password" value="<?php echo $langs->trans('SendNewPassword'); ?>" tabindex="4" />
 
 <br>
 <div align="center" style="margin-top: 8px;">
diff --git a/htdocs/ecm/ajax/ecmdatabase.php b/htdocs/ecm/ajax/ecmdatabase.php
index ac3a45d5683..6753a4299b0 100644
--- a/htdocs/ecm/ajax/ecmdatabase.php
+++ b/htdocs/ecm/ajax/ecmdatabase.php
@@ -39,7 +39,7 @@ $element = GETPOST('element', 'alpha');
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 // Load original field value
 if (isset($action) && ! empty($action))
diff --git a/htdocs/expensereport/ajax/ajaxprojet.php b/htdocs/expensereport/ajax/ajaxprojet.php
index 6b9dd7e062f..423677c5da5 100644
--- a/htdocs/expensereport/ajax/ajaxprojet.php
+++ b/htdocs/expensereport/ajax/ajaxprojet.php
@@ -46,7 +46,7 @@ require '../../main.inc.php';
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 dol_syslog(join(',',$_GET));
 
diff --git a/htdocs/externalsite/frames.php b/htdocs/externalsite/frames.php
index adf9d547073..6005b8e55b6 100644
--- a/htdocs/externalsite/frames.php
+++ b/htdocs/externalsite/frames.php
@@ -34,8 +34,8 @@ if (empty($conf->global->EXTERNALSITE_URL))
 	llxFooter();
 }
 
-$mainmenu=GETPOST('mainmenu', 'alpha');
-$leftmenu=GETPOST('leftmenu', 'alpha');
+$mainmenu=GETPOST('mainmenu', "aZ09");
+$leftmenu=GETPOST('leftmenu', "aZ09");
 $idmenu=GETPOST('idmenu', 'int');
 $theme=GETPOST('theme', 'alpha');
 $codelang=GETPOST('lang', 'aZ09');
diff --git a/htdocs/fourn/ajax/getSupplierPrices.php b/htdocs/fourn/ajax/getSupplierPrices.php
index af3d728dc78..9a8c24c4eba 100644
--- a/htdocs/fourn/ajax/getSupplierPrices.php
+++ b/htdocs/fourn/ajax/getSupplierPrices.php
@@ -46,7 +46,7 @@ $langs->load('margins');
 
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 if ($idprod > 0)
 {
@@ -55,7 +55,7 @@ if ($idprod > 0)
 
 	$sorttouse = 's.nom, pfp.quantity, pfp.price';
 	if (GETPOST('bestpricefirst')) $sorttouse = 'pfp.unitprice, s.nom, pfp.quantity, pfp.price';
-	
+
 	$productSupplierArray = $producttmp->list_product_fournisseur_price($idprod, $sorttouse);    // We list all price per supplier, and then firstly with the lower quantity. So we can choose first one with enough quantity into list.
 	if ( is_array($productSupplierArray))
 	{
@@ -63,15 +63,15 @@ if ($idprod > 0)
 		{
 			$price = $productSupplier->fourn_price * (1 - $productSupplier->fourn_remise_percent / 100);
 			$unitprice = $productSupplier->fourn_unitprice * (1 - $productSupplier->fourn_remise_percent / 100);
-			
+
 			$title = $productSupplier->fourn_name.' - '.$productSupplier->fourn_ref.' - ';
-			
+
 			if ($productSupplier->fourn_qty == 1)
 			{
 				$title.= price($price,0,$langs,0,0,-1,$conf->currency)."/";
 			}
 			$title.= $productSupplier->fourn_qty.' '.($productSupplier->fourn_qty == 1 ? $langs->trans("Unit") : $langs->trans("Units"));
-			
+
 			if ($productSupplier->fourn_qty > 1)
 			{
 				$title.=" - ";
@@ -84,19 +84,19 @@ if ($idprod > 0)
 				$title.= price($productSupplier->fourn_unitcharges,0,$langs,0,0,-1,$conf->currency);
 				$price += $productSupplier->fourn_unitcharges;
 			}
-			
+
 			$label = price($price,0,$langs,0,0,-1,$conf->currency)."/".$langs->trans("Unit");
 			if ($productSupplier->fourn_ref) $label.=' ('.$productSupplier->fourn_ref.')';
-			
+
 			$prices[] = array("id" => $productSupplier->product_fourn_price_id, "price" => price2num($price,0,'',0), "label" => $label, "title" => $title);  // For price field, we must use price2num(), for label or title, price()
 		}
 	}
-	
+
 	// Add price for costprice
 	$price=$producttmp->cost_price;
 	$prices[] = array("id" => 'costprice', "price" => price2num($price), "label" => $langs->trans("CostPrice").': '.price($price,0,$langs,0,0,-1,$conf->currency), "title" => $langs->trans("PMPValueShort").': '.price($price,0,$langs,0,0,-1,$conf->currency));  // For price field, we must use price2num(), for label or title, price()
 
-	if(!empty($conf->stock->enabled)) 
+	if(!empty($conf->stock->enabled))
 	{
 		// Add price for pmp
 		$price=$producttmp->pmp;
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index 1ab8fbd785f..9523d489256 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -66,7 +66,7 @@ $year_end        = GETPOST('year_end');
 $search_employe  = GETPOST('search_employe');
 $search_valideur = GETPOST('search_valideur');
 $search_statut   = GETPOST('select_statut');
-$type            = GETPOST('type','int'); 
+$type            = GETPOST('type','int');
 
 // List of fields to search into when doing a "search in all"
 $fieldstosearchall = array(
@@ -82,7 +82,7 @@ $fieldstosearchall = array(
  * Actions
  */
 
-if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // Both test are required to be compatible with all browsers
+if (GETPOST("button_removefilter_x") || GETPOST("button_removefilter.x") || GETPOST("button_removefilter")) // All tests are required to be compatible with all browsers
 {
 	$search_ref="";
 	$month_create="";
@@ -168,7 +168,7 @@ if($year_create > 0) {
     }
 } else {
     if($month_create > 0) {
-        $filter.= " AND date_format(cp.date_create, '%m') = '$month_create'";
+        $filter.= " AND date_format(cp.date_create, '%m') = '".$db->escape($month_create)."'";
     }
 }
 
@@ -313,7 +313,7 @@ print '</td>';
 
 // DATE CREATE
 print '<td class="liste_titre" align="center">';
-print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.$month_create.'">';
+print '<input class="flat" type="text" size="1" maxlength="2" name="month_create" value="'.dol_escape_htmltag($month_create).'">';
 $formother->select_year($year_create,'year_create',1, $min_year, 0);
 print '</td>';
 
@@ -409,7 +409,7 @@ if (! empty($holiday->holiday))
 		$userstatic->login=$infos_CP['user_login'];
 		$userstatic->statut=$infos_CP['user_statut'];
 		$userstatic->photo=$infos_CP['user_photo'];
-		
+
 		// Valideur
 		$approbatorstatic->id=$infos_CP['fk_validator'];
 		$approbatorstatic->lastname=$infos_CP['validator_lastname'];
@@ -417,7 +417,7 @@ if (! empty($holiday->holiday))
 		$approbatorstatic->login=$infos_CP['validator_login'];
 		$approbatorstatic->statut=$infos_CP['validator_statut'];
 		$approbatorstatic->photo=$infos_CP['validator_photo'];
-		
+
 		$date = $infos_CP['date_create'];
 
 		print '<tr '.$bc[$var].'>';
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 7e52b454f97..2806f2d06a0 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -97,8 +97,9 @@ function test_sql_and_script_inject($val, $type)
     $sql_inj += preg_match('/<script/i', $val);
     if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
     $sql_inj += preg_match('/base[\s]+href/si', $val);
-    $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
-    $sql_inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
+    $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
+    $sql_inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='...' onerror = alert(1)>
+//    $sql_inj += preg_match('/onfocus\s*=/i', $val);       // onfocus can be set on input text html tag like <input type='text' value='...' onfocus = alert(1)>
     if ($type == 1)
     {
         $sql_inj += preg_match('/javascript:/i', $val);
@@ -1477,14 +1478,14 @@ function top_menu($head, $title='', $target='', $disablejs=0, $disablehead=0, $a
 	    // Link to print main content area
 	    if (empty($conf->global->MAIN_PRINT_DISABLELINK) && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && empty($conf->browser->phone))
 	    {
-	        $qs=$_SERVER["QUERY_STRING"];
+	        $qs=dol_escape_htmltag($_SERVER["QUERY_STRING"]);
 
 			foreach($_POST as $key=>$value) {
-				if($key!=='action' && !is_array($value))$qs.='&'.$key.'='.urlencode($value);
+				if ($key!=='action' && !is_array($value)) $qs.='&'.$key.'='.urlencode($value);
 			}
 
 			$qs.=(($qs && $morequerystring)?'&':'').$morequerystring;
-	        $text ='<a href="'.$_SERVER["PHP_SELF"].'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
+	        $text ='<a href="'.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.$qs.($qs?'&':'').'optioncss=print" target="_blank">';
 	        $text.= img_picto(":".$langs->trans("PrintContentArea"), 'printer_top.png', 'class="printer"');
 	        $text.='</a>';
 	        $toprightmenu.=@Form::textwithtooltip('',$langs->trans("PrintContentArea"),2,1,$text,'login_block_elem',2);
diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php
index 15541016963..8015f6f1172 100644
--- a/htdocs/product/ajax/products.php
+++ b/htdocs/product/ajax/products.php
@@ -57,7 +57,7 @@ $warehouseStatus = GETPOST('warehousestatus', 'alpha');
  * View
  */
 
-// print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+// print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 dol_syslog(join(',', $_GET));
 // print_r($_GET);
diff --git a/htdocs/product/stats/card.php b/htdocs/product/stats/card.php
index 7272524f9e3..76a4ce02b6e 100644
--- a/htdocs/product/stats/card.php
+++ b/htdocs/product/stats/card.php
@@ -69,7 +69,7 @@ if (! empty($id) || ! empty($ref) || GETPOST('id') == 'all')
     {
         llxHeader("",$langs->trans("ProductStatistics"));
 
-   	    $type = GETPOST('type');
+   	    $type = GETPOST('type', 'intcomma');
 
        	$helpurl='';
         if ($type == '0')
diff --git a/htdocs/public/paybox/paymentko.php b/htdocs/public/paybox/paymentko.php
index 09de4525b39..e4faf370126 100644
--- a/htdocs/public/paybox/paymentko.php
+++ b/htdocs/public/paybox/paymentko.php
@@ -62,7 +62,7 @@ $langs->load("paypal");
  * View
  */
 
-dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
+dol_syslog("Callback url when a PayBox payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
 
 $tracepost = "";
 foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
diff --git a/htdocs/public/paybox/paymentok.php b/htdocs/public/paybox/paymentok.php
index 9c3030a86ba..bc3993560c6 100644
--- a/htdocs/public/paybox/paymentok.php
+++ b/htdocs/public/paybox/paymentok.php
@@ -70,7 +70,7 @@ if (empty($PAYBOXFULLTAG)) $PAYBOXFULLTAG=GETPOST('fulltag');
  * View
  */
 
-dol_syslog("Callback url when a PayBox payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paybox');
+dol_syslog("Callback url when a PayBox payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paybox');
 
 $tracepost = "";
 foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
diff --git a/htdocs/public/paypal/paymentko.php b/htdocs/public/paypal/paymentko.php
index 4bad572ed8b..c4b98843fa7 100644
--- a/htdocs/public/paypal/paymentko.php
+++ b/htdocs/public/paypal/paymentko.php
@@ -70,7 +70,7 @@ if (empty($PAYPALFULLTAG)) $PAYPALFULLTAG=GETPOST('fulltag');
  * View
  */
 
-dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
+dol_syslog("Callback url when a PayPal payment was canceled. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
 
 $tracepost = "";
 foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
@@ -90,8 +90,8 @@ if (! empty($conf->global->PAYPAL_PAYONLINE_SENDEMAIL))
     $FinalPaymentAmt    = $_SESSION["Payment_Amount"];
     // From env
     $ipaddress          = $_SESSION['ipaddress'];
-    
-    
+
+
 	$sendto=$conf->global->PAYPAL_PAYONLINE_SENDEMAIL;
 	$from=$conf->global->MAILING_EMAIL_FROM;
 
diff --git a/htdocs/public/paypal/paymentok.php b/htdocs/public/paypal/paymentok.php
index 90f13aa6f17..8c9e8471195 100644
--- a/htdocs/public/paypal/paymentok.php
+++ b/htdocs/public/paypal/paymentok.php
@@ -100,7 +100,7 @@ if (empty($PAYPALFULLTAG)) $PAYPALFULLTAG=GETPOST('fulltag');
  * View
  */
 
-dol_syslog("Callback url when a PayPal payment was done. query_string=".(empty($_SERVER["QUERY_STRING"])?'':$_SERVER["QUERY_STRING"])." script_uri=".(empty($_SERVER["SCRIPT_URI"])?'':$_SERVER["SCRIPT_URI"]), LOG_DEBUG, 0, '_paypal');
+dol_syslog("Callback url when a PayPal payment was done. query_string=".(dol_escape_htmltag($_SERVER["QUERY_STRING"])?dol_escape_htmltag($_SERVER["QUERY_STRING"]):'')." script_uri=".(dol_escape_htmltag($_SERVER["SCRIPT_URI"])?dol_escape_htmltag($_SERVER["SCRIPT_URI"]):''), LOG_DEBUG, 0, '_paypal');
 
 $tracepost = "";
 foreach($_POST as $k => $v) $tracepost .= "{$k} - {$v}\n";
diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php
index 32f57f73c25..36751b709c0 100644
--- a/htdocs/societe/ajax/company.php
+++ b/htdocs/societe/ajax/company.php
@@ -43,7 +43,7 @@ $id=GETPOST('id', 'int');
  * View
  */
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 dol_syslog(join(',', $_GET));
 //print_r($_GET);
@@ -62,7 +62,7 @@ if (! empty($action) && $action == 'fetch' && ! empty($id))
 		$outlabel = '';
 		$outdesc = '';
 		$outtype = $object->type;
-		
+
 		$outjson = array('ref' => $outref,'name' => $outname,'desc' => $outdesc,'type' => $outtype);
 	}
 
diff --git a/htdocs/societe/ajaxcompanies.php b/htdocs/societe/ajaxcompanies.php
index b3565a2ca26..0a7ea058ba7 100644
--- a/htdocs/societe/ajaxcompanies.php
+++ b/htdocs/societe/ajaxcompanies.php
@@ -44,7 +44,7 @@ require '../main.inc.php';
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-//print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 dol_syslog(join(',',$_GET));
 
diff --git a/htdocs/societe/ajaxcountries.php b/htdocs/societe/ajaxcountries.php
index 7eb22035d6b..b9d1bf5fc8c 100644
--- a/htdocs/societe/ajaxcountries.php
+++ b/htdocs/societe/ajaxcountries.php
@@ -45,7 +45,7 @@ $country=GETPOST('country', 'alpha');
 //top_htmlhead("", "", 1);  // Replaced with top_httphead. An ajax page does not need html header.
 top_httphead();
 
-print '<!-- Ajax page called with url '.$_SERVER["PHP_SELF"].'?'.$_SERVER["QUERY_STRING"].' -->'."\n";
+print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
 
 dol_syslog(join(',',$_POST));
 
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index cb38d1c9e49..92144f4be69 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -152,9 +152,6 @@ if ($action == 'buildnewpassword' && $username)
  * View
  */
 
-$php_self = $_SERVER['PHP_SELF'];
-$php_self.= $_SERVER["QUERY_STRING"]?'?'.$_SERVER["QUERY_STRING"]:'';
-
 $dol_url_root = DOL_URL_ROOT;
 
 // Title