From ac7a077c77b6c6b922225ec0d47120b886898196 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 16 Feb 2020 18:14:10 +0100
Subject: [PATCH] FIX Vulnerability in module from modulebuilder. Only fields
 with type html can contains HTML.

---
 htdocs/core/actions_addupdatedelete.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/actions_addupdatedelete.inc.php b/htdocs/core/actions_addupdatedelete.inc.php
index 59606ee65b5..ebc8e48d742 100644
--- a/htdocs/core/actions_addupdatedelete.inc.php
+++ b/htdocs/core/actions_addupdatedelete.inc.php
@@ -76,7 +76,7 @@ if ($action == 'add' && !empty($permissiontoadd))
 		} elseif (preg_match('/^(integer|price|real|double)/', $object->fields[$key]['type'])) {
 			$value = price2num(GETPOST($key, 'none')); // To fix decimal separator according to lang setup
 		} else {
-			$value = GETPOST($key, 'alpha');
+			$value = GETPOST($key, 'alphanohtml');
 		}
 		if (preg_match('/^integer:/i', $object->fields[$key]['type']) && $value == '-1') $value = ''; // This is an implicit foreign key field
 		if (!empty($object->fields[$key]['foreignkey']) && $value == '-1') $value = ''; // This is an explicit foreign key field