From 505543e18e3d6ca331492c9d862fcdf7decb038a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 26 Jul 2021 00:37:47 +0200
Subject: [PATCH] Fix #yogosha6704

---
 htdocs/comm/action/list.php                  | 2 +-
 htdocs/core/class/html.formactions.class.php | 2 +-
 htdocs/core/lib/agenda.lib.php               | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/htdocs/comm/action/list.php b/htdocs/comm/action/list.php
index e95cc3366c52c..9c587a934e2f1 100644
--- a/htdocs/comm/action/list.php
+++ b/htdocs/comm/action/list.php
@@ -47,7 +47,7 @@
 $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'actioncommlist'; // To manage different context of search
 $resourceid = GETPOST("search_resourceid", "int") ?GETPOST("search_resourceid", "int") : GETPOST("resourceid", "int");
 $pid = GETPOST("search_projectid", 'int', 3) ?GETPOST("search_projectid", 'int', 3) : GETPOST("projectid", 'int', 3);
-$search_status = (GETPOST("search_status", 'alpha') != '') ?GETPOST("search_status", 'alpha') : GETPOST("status", 'alpha');
+$search_status = (GETPOST("search_status", 'aZ09') != '') ? GETPOST("search_status", 'aZ09') : GETPOST("status", 'aZ09');
 $type = GETPOST('search_type', 'alphanohtml') ?GETPOST('search_type', 'alphanohtml') : GETPOST('type', 'alphanohtml');
 $optioncss = GETPOST('optioncss', 'alpha');
 $year = GETPOST("year", 'int');
diff --git a/htdocs/core/class/html.formactions.class.php b/htdocs/core/class/html.formactions.class.php
index 992efb79bbfbd..09c94485d11ff 100644
--- a/htdocs/core/class/html.formactions.class.php
+++ b/htdocs/core/class/html.formactions.class.php
@@ -97,7 +97,7 @@ public function form_select_status_action($formname, $selected, $canedit = 1, $h
                 function select_status() {
                     var defaultvalue = $('#select' + htmlname).val();
                     var percentage = $('input[name=percentage]');
-                    var selected = '".(isset($selected) ? $selected : '')."';
+                    var selected = '".(isset($selected) ? dol_escape_js($selected) : '')."';
                     var value = (selected>0?selected:(defaultvalue>=0?defaultvalue:''));
 
                     percentage.val(value);
diff --git a/htdocs/core/lib/agenda.lib.php b/htdocs/core/lib/agenda.lib.php
index ae96f59d407b6..9796c49cf5981 100644
--- a/htdocs/core/lib/agenda.lib.php
+++ b/htdocs/core/lib/agenda.lib.php
@@ -61,13 +61,13 @@ function print_actions_filter($form, $canedit, $status, $year, $month, $day, $sh
 	// Filters
 	//print '<form name="listactionsfilter" class="listactionsfilter" action="' . $_SERVER["PHP_SELF"] . '" method="get">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
-	print '<input type="hidden" name="year" value="'.$year.'">';
-	print '<input type="hidden" name="month" value="'.$month.'">';
-	print '<input type="hidden" name="day" value="'.$day.'">';
+	print '<input type="hidden" name="year" value="'.((int) $year).'">';
+	print '<input type="hidden" name="month" value="'.((int) $month).'">';
+	print '<input type="hidden" name="day" value="'.((int) $day).'">';
 	if ($massaction != 'predelete' && $massaction != 'preaffecttag') {		// When $massaction == 'predelete', action may be already output to 'delete' by the mass action system.
 		print '<input type="hidden" name="action" value="'.$action.'">';
 	}
-	print '<input type="hidden" name="search_showbirthday" value="'.$showbirthday.'">';
+	print '<input type="hidden" name="search_showbirthday" value="'.((int) $showbirthday).'">';
 
 	if ($canedit) {
 		print '<div class="divsearchfield">';