diff --git a/htdocs/user/hierarchy.php b/htdocs/user/hierarchy.php
index 7882bfb24e2..65723b4d65d 100644
--- a/htdocs/user/hierarchy.php
+++ b/htdocs/user/hierarchy.php
@@ -52,6 +52,10 @@ if (GETPOST('button_removefilter_x','alpha') || GETPOST('button_removefilter','a
 	$search_statut="";
 }
 
+// Define value to know what current user can do on users
+$canadduser=(! empty($user->admin) || $user->rights->user->user->creer);
+
+
 
 /*
  * View
@@ -62,12 +66,7 @@ $form = new Form($db);
 $arrayofjs=array('/includes/jquery/plugins/jquerytreeview/jquery.treeview.js', '/includes/jquery/plugins/jquerytreeview/lib/jquery.cookie.js');
 $arrayofcss=array('/includes/jquery/plugins/jquerytreeview/jquery.treeview.css');
 
-llxHeader('',$langs->trans("ListOfUsers"). ' ('.$langs->trans("HierarchicView").')','','',0,0,$arrayofjs,$arrayofcss);
-
-$morehtmlright = '<a class="nohover" href="'.DOL_URL_ROOT.'/user/list.php'.(($search_statut != '' && $search_statut >= 0) ?'?search_statut='.$search_statut:'').'">'.$langs->trans("ViewList").'</a>';
-
-print load_fiche_titre($langs->trans("ListOfUsers"). ' ('.$langs->trans("HierarchicView").')', $morehtmlright);
-
+llxHeader('',$langs->trans("ListOfUsers"). ' - '.$langs->trans("HierarchicView"),'','',0,0,$arrayofjs,$arrayofcss);
 
 
 // Load hierarchy of users
@@ -138,9 +137,30 @@ foreach($fulltree as $key => $val)
 
 //var_dump($data);
 
-print '<form method="POST" id="searchFormList" action="'.$_SERVER["PHP_SELF"].'">'."\n";
+$title = $langs->trans("ListOfUsers"). ' - '.$langs->trans("HierarchicView");
 
-$param="search_statut=".$search_statut;
+$param="search_statut=".urlencode($search_statut);
+
+$newcardbutton='';
+if ($canadduser)
+{
+	$newcardbutton = '<a class="butActionNew" href="'.DOL_URL_ROOT.'/user/card.php?action=create'.($mode == 'employee' ? '&employee=1': '').'&leftmenu="><span class="valignmiddle">'.$langs->trans('NewUser').'</span>';
+	$newcardbutton.= '<span class="fa fa-plus-circle valignmiddle"></span>';
+	$newcardbutton.= '</a>';
+}
+
+$morehtmlright = '<a class="nohover" href="'.DOL_URL_ROOT.'/user/list.php'.(($search_statut != '' && $search_statut >= 0) ?'?search_statut='.$search_statut:'').'">'.$langs->trans("ViewList").'</a>';
+
+print load_fiche_titre($title, $morehtmlright.' '.$newcardbutton);
+
+print '<form method="POST" id="searchFormList" action="'.$_SERVER["PHP_SELF"].'">'."\n";
+if ($optioncss != '') print '<input type="hidden" name="optioncss" value="'.$optioncss.'">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
+print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
+print '<input type="hidden" name="page" value="'.$page.'">';
+print '<input type="hidden" name="mode" value="'.$mode.'">';
+print '<input type="hidden" name="contextpage" value="'.$contextpage.'">';
 
 print '<table class="liste nohover" width="100%">';
 
diff --git a/htdocs/user/list.php b/htdocs/user/list.php
index d69dfce5f83..dcede3a5576 100644
--- a/htdocs/user/list.php
+++ b/htdocs/user/list.php
@@ -266,21 +266,21 @@ if ($num == 1 && ! empty($conf->global->MAIN_SEARCH_DIRECT_OPEN_IF_ONLY_ONE) &&
 llxHeader('',$langs->trans("ListOfUsers"));
 
 $param='';
-if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage;
-if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit;
+if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.urlencode($contextpage);
+if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.urlencode($limit);
 if ($sall != '') $param.='&sall='.urlencode($sall);
-if ($search_user != '') $param.="&search_user=".$search_user;
-if ($search_login != '') $param.="&search_login=".$search_login;
-if ($search_lastname != '') $param.="&search_lastname=".$search_lastname;
-if ($search_firstname != '') $param.="&search_firstname=".$search_firstname;
-if ($search_gender != '') $param.="&search_gender=".$search_gender;
-if ($search_employee != '') $param.="&search_employee=".$search_employee;
-if ($search_accountancy_code != '') $param.="&search_accountancy_code=".$search_accountancy_code;
-if ($search_email != '') $param.="&search_email=".$search_email;
-if ($search_supervisor > 0) $param.="&search_supervisor=".$search_supervisor;
-if ($search_statut != '') $param.="&search_statut=".$search_statut;
-if ($optioncss != '') $param.='&optioncss='.$optioncss;
-if ($mode != '')      $param.='&mode='.$mode;
+if ($search_user != '') $param.="&search_user=".urlencode($search_user);
+if ($search_login != '') $param.="&search_login=".urlencode($search_login);
+if ($search_lastname != '') $param.="&search_lastname=".urlencode($search_lastname);
+if ($search_firstname != '') $param.="&search_firstname=".urlencode($search_firstname);
+if ($search_gender != '') $param.="&search_gender=".urlencode($search_gender);
+if ($search_employee != '') $param.="&search_employee=".urlencode($search_employee);
+if ($search_accountancy_code != '') $param.="&search_accountancy_code=".urlencode($search_accountancy_code);
+if ($search_email != '') $param.="&search_email=".urlencode($search_email);
+if ($search_supervisor > 0) $param.="&search_supervisor=".urlencode($search_supervisor);
+if ($search_statut != '') $param.="&search_statut=".urlencode($search_statut);
+if ($optioncss != '') $param.='&optioncss='.urlencode($optioncss);
+if ($mode != '')      $param.='&mode='.urlencode($mode);
 if ($search_categ > 0) $param.="&search_categ=".urlencode($search_categ);
 // Add $param from extra fields
 include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_param.tpl.php';