diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index ef1bbaec397..4507a7b1be3 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -83,8 +83,9 @@ function test_sql_and_script_inject($val, $get)
 	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	// For XSS Injection done by adding javascript with script
     $sql_inj += preg_match('/<script/i', $val);
-    $sql_inj += preg_match('/img[\s]src/i', $val);
-    $sql_inj += preg_match('/base[\s]href/i', $val);
+    $sql_inj += preg_match('/img[\s]+src/i', $val);
+    $sql_inj += preg_match('/base[\s]+href/i', $val);
+    $sql_inj += preg_match('/style([\s]+)?=/i', $val);
 	if ($get) $sql_inj += preg_match('/javascript:/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
 	if ($get) $sql_inj += preg_match('/"/i', $val);	// We refused " in GET parameters value
@@ -374,7 +375,7 @@ if (! defined('NOLOGIN'))
 		// If error, we will put error message in session under the name dol_loginmesg
 		$goontestloop=false;
 		if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true;
-		if (isset($_POST["username"]) || ! empty($_COOKIE['login_dolibarr']) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
+		if (GETPOST("username","alpha",2) || ! empty($_COOKIE['login_dolibarr']) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
 
 		if ($test && $goontestloop)
 		{
@@ -406,13 +407,13 @@ if (! defined('NOLOGIN'))
 				$langs->load('errors');
 
 				// Bad password. No authmode has found a good password.
-				$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.$_POST["username"];
+				$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username","alpha",2);
 				$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
 
 				// Appel des triggers
 				include_once(DOL_DOCUMENT_ROOT . "/core/class/interfaces.class.php");
 				$interface=new Interfaces($db);
-				$result=$interface->run_triggers('USER_LOGIN_FAILED',$user,$user,$langs,$conf,$_POST["entity"]);
+				$result=$interface->run_triggers('USER_LOGIN_FAILED',$user,$user,$langs,$conf,GETPOST("username","alpha",2));
 				if ($result < 0) { $error++; }
 				// Fin appel triggers
 			}