diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php
index a1bf95d819f..1f32fec97aa 100644
--- a/htdocs/admin/ticket_public.php
+++ b/htdocs/admin/ticket_public.php
@@ -330,7 +330,7 @@ if (!empty($conf->global->TICKET_ENABLE_PUBLIC_INTERFACE)) {
 	print '</tr>';
 
 	// Auto fill the contact found from email
-	// This option is a serious security hole. it allowe to any non looged perso, to get the database of contacts
+	// This option is a serious security hole. it allows to any non logged perso, to get the database of contacts or to check if an email is a customer or not. We must keep it as hidden option only.
 	/*
 	print '<tr class="oddeven"><td>'.$langs->trans("TicketCreateThirdPartyWithContactIfNotExist").'</td>';
 	print '<td class="left">';
diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
index a1e24fa6d2c..20a9d7b097f 100644
--- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
+++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
@@ -401,4 +401,6 @@ ALTER TABLE llx_facture_fourn_det MODIFY COLUMN ref varchar(128);
 
 ALTER TABLE llx_projet ADD COLUMN extraparams varchar(255);
 
+DELETE FROM llx_const WHERE name = 'TICKET_CREATE_THIRD_PARTY_WITH_CONTACT_IF_NOT_EXIST';
+
 
diff --git a/htdocs/public/ticket/ajax/ajax.php b/htdocs/public/ticket/ajax/ajax.php
index 19361320ced..b40b1af2219 100644
--- a/htdocs/public/ticket/ajax/ajax.php
+++ b/htdocs/public/ticket/ajax/ajax.php
@@ -55,7 +55,7 @@ include_once '../../../main.inc.php'; // Load $user and permissions
 
 $action = GETPOST('action', 'aZ09');
 $id = GETPOST('id', 'int');
-$email = GETPOST('email', 'alphanohtml');
+$email = GETPOST('email', 'custom', 0, 'FILTER_VALIDATE_EMAIL');
 
 if (!isModEnabled('ticket')) {
 	httponly_accessforbidden('Module Ticket not enabled');