diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 89c12902f90..96e3cd7dcd2 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -172,7 +172,7 @@ function dol_shutdown()
  *  Return value of a param into GET or POST supervariable
  *
  *  @param	string	$paramname   Name of parameter to found
- *  @param	string	$check	     Type of check (''=no check,  'int'=check it's numeric, 'alpha'=check it's alpha only, 'array'=check it's array)
+ *  @param	string	$check	     Type of check (''=no check,  'int'=check it's numeric, 'alpha'=check it's text and sign, 'az'=check it's a-z only, 'array'=check it's array)
  *  @param	int		$method	     Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie)
  *  @return string      		 Value found, or '' if check fails
  */
@@ -198,6 +198,13 @@ function GETPOST($paramname,$check='',$method=0)
 			if (preg_match('/"/',$out)) $out='';
 			else if (preg_match('/\.\.\//',$out)) $out='';
 		}
+		elseif ($check == 'az')
+		{
+			$out=trim($out);
+			// '"' is dangerous because param in url can close the href= or src= and add javascript functions.
+			// '../' is dangerous because it allows dir transversals
+			if (preg_match('/[^a-z]+/',$out)) $out='';
+		}
 		elseif ($check == 'array')
 		{
 			if (! is_array($out) || empty($out)) $out=array();