From 487b5b25dbf9457228e1ad55c737de9dd927714f Mon Sep 17 00:00:00 2001
From: altatof <christophe@altairis.fr>
Date: Fri, 13 Jan 2017 15:37:33 +0100
Subject: [PATCH 1/3] FIX: extrafield input for varchar was not working with
 special char within (ie double quotes)

---
 htdocs/core/class/extrafields.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php
index 496a8f2e251..63621d56a82 100644
--- a/htdocs/core/class/extrafields.class.php
+++ b/htdocs/core/class/extrafields.class.php
@@ -763,7 +763,7 @@ class ExtraFields
 		}
 		elseif ($type == 'phone')
 		{
-			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'"  size="20" value="'.$value.'" '.($moreparam?$moreparam:'').'>';
+			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'"  size="20" value="'.htmlentities($value).'" '.($moreparam?$moreparam:'').'>';
 		}
 		elseif ($type == 'price')
 		{

From 55c0a99bce46ae767e86069cc7823b307f0f1654 Mon Sep 17 00:00:00 2001
From: altatof <christophe@altairis.fr>
Date: Fri, 13 Jan 2017 15:42:07 +0100
Subject: [PATCH 2/3] fix was not at the right place

---
 htdocs/core/class/extrafields.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php
index 63621d56a82..cc6b61b236e 100644
--- a/htdocs/core/class/extrafields.class.php
+++ b/htdocs/core/class/extrafields.class.php
@@ -739,7 +739,7 @@ class ExtraFields
 		}
 		elseif ($type == 'varchar')
 		{
-			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'" size="'.$showsize.'" maxlength="'.$size.'" value="'.$value.'"'.($moreparam?$moreparam:'').'>';
+			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'" size="'.$showsize.'" maxlength="'.$size.'" value="'.htmlentities($value).'"'.($moreparam?$moreparam:'').'>';
 		}
 		elseif ($type == 'text')
 		{
@@ -763,7 +763,7 @@ class ExtraFields
 		}
 		elseif ($type == 'phone')
 		{
-			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'"  size="20" value="'.htmlentities($value).'" '.($moreparam?$moreparam:'').'>';
+			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'"  size="20" value="'.$value.'" '.($moreparam?$moreparam:'').'>';
 		}
 		elseif ($type == 'price')
 		{

From 3dd160c6635ebd7eb69bf9defc194eb442229db6 Mon Sep 17 00:00:00 2001
From: altatof <christophe@altairis.fr>
Date: Mon, 16 Jan 2017 09:17:37 +0100
Subject: [PATCH 3/3] use dol_escape_htmltag

---
 htdocs/core/class/extrafields.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php
index cc6b61b236e..0c9e4f3226e 100644
--- a/htdocs/core/class/extrafields.class.php
+++ b/htdocs/core/class/extrafields.class.php
@@ -739,7 +739,7 @@ class ExtraFields
 		}
 		elseif ($type == 'varchar')
 		{
-			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'" size="'.$showsize.'" maxlength="'.$size.'" value="'.htmlentities($value).'"'.($moreparam?$moreparam:'').'>';
+			$out='<input type="text" class="flat" name="'.$keysuffix.'options_'.$key.$keyprefix.'" size="'.$showsize.'" maxlength="'.$size.'" value="'.dol_escape_htmltag($value).'"'.($moreparam?$moreparam:'').'>';
 		}
 		elseif ($type == 'text')
 		{