From b2f8c4c6b8025322e96942f4867939fa3957b964 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 20 Sep 2020 19:21:04 +0200
Subject: [PATCH] Escape output

---
 htdocs/fourn/commande/card.php | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php
index 4dfcc554501..4a26d3b4cb6 100644
--- a/htdocs/fourn/commande/card.php
+++ b/htdocs/fourn/commande/card.php
@@ -1484,8 +1484,8 @@ if (!empty($conf->projet->enabled)) { $formproject = new FormProjets($db); }
 $help_url = 'EN:Module_Suppliers_Orders|FR:CommandeFournisseur|ES:Módulo_Pedidos_a_proveedores';
 llxHeader('', $langs->trans("Order"), $help_url);
 
-
 $now = dol_now();
+
 if ($action == 'create')
 {
 	print load_fiche_titre($langs->trans('NewOrderSupplier'), '', 'supplier_order');
@@ -1786,8 +1786,7 @@ if ($action == 'create')
 		print '</table>';
 	}
 	print "</form>\n";
-} elseif (!empty($object->id))
-{
+} elseif (!empty($object->id)) {
 	$result = $object->fetch($id, $ref);
 
 	$societe = new Fournisseur($db);
@@ -2192,7 +2191,7 @@ if ($action == 'create')
 		print '<td>';
 		if ($action != 'editincoterm')
 		{
-			print $form->textwithpicto($object->display_incoterms(), $object->label_incoterms, 1);
+			print $form->textwithpicto(dol_escape_htmltag($object->display_incoterms()), $object->label_incoterms, 1);
 		} else {
 			print $form->select_incoterms((!empty($object->fk_incoterms) ? $object->fk_incoterms : ''), (!empty($object->location_incoterms) ? $object->location_incoterms : ''), $_SERVER['PHP_SELF'].'?id='.$object->id);
 		}