diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 75832d42d0a..084eb277b27 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8341,13 +8341,15 @@ function dol_eval($s, $returnvalue = 0, $hideerrors = 1, $onlysimplestring = '1'
 	// Test on dangerous char (used for RCE), we allow only characters to make PHP variable testing.
 	if ($onlysimplestring == '1') {
 		//print preg_quote('$_->&|', '/');
-		if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?:', '/').']/i', $s)) {
+		if (preg_match('/[^a-z0-9\s'.preg_quote('$_->&|=!?():"', '/').']/i', $s)) {
 			if ($returnvalue) {
 				return 'Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s;
 			} else {
 				dol_syslog('Bad string syntax to evaluate (found chars that are not chars for simplestring): '.$s);
 				return '';
 			}
+			// TODO We can exclude all () that is not  ...($db) and getDolGlobalInt( and getDolGlobalString(
+			// ...
 		}
 	} elseif ($onlysimplestring == '2') {
 		//print preg_quote('$_->&|', '/');
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index c5f74683c43..8be8c07f887 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -915,7 +915,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$this->assertContains('Bad string syntax to evaluate', $result);
 
 		// Case with param onlysimplestring = 1
-		$result=dol_eval('1 && $conf->abc->doesnotexist1 && $conf->def->doesnotexist1', 1, 0);	// Should return false and not a 'Bad string syntax to evaluate ...'
+		$result=dol_eval('1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL', 1, 0);	// Should return false and not a 'Bad string syntax to evaluate ...'
 		print "result = ".$result."\n";
 		$this->assertFalse($result);