diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index e9e42d586fb..86130aec217 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -617,7 +617,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null
 
 		do {
 			$oldstringtoclean = $out;
-			$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $out);
+			$out = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $out);
 		} while ($oldstringtoclean != $out);
 
 		$out = preg_replace(array('/^[a-z]*\/\/+/i'), '', $out);
@@ -1029,7 +1029,7 @@ function dol_sanitizeUrl($stringtoclean, $type = 1)
 	do {
 		$oldstringtoclean = $stringtoclean;
 
-		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#x3a'), '', $stringtoclean);
+		$stringtoclean = str_ireplace(array('javascript', 'vbscript', '&colon', '&#'), '', $stringtoclean);
 	} while ($oldstringtoclean != $stringtoclean);
 
 	if ($type == 1) {
diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php
index c3855dd9cba..b3ea5a2c9b2 100644
--- a/test/phpunit/SecurityTest.php
+++ b/test/phpunit/SecurityTest.php
@@ -476,7 +476,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 		$_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
 		$result=GETPOST("backtopage");
 		print __METHOD__." result=".$result."\n";
-		$this->assertEquals(' alert(1)', $result, 'Test for backtopage param');
+		$this->assertEquals('3a alert(1)', $result, 'Test for backtopage param');
 
 		return $result;
 	}
@@ -691,7 +691,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
 
 		$test = 'javascripT&javascript#x3a alert(1)';
 		$result=dol_sanitizeUrl($test);
-		$this->assertEquals(' alert(1)', $result, 'Test on dol_sanitizeUrl A');
+		$this->assertEquals('3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
 
 		$test = 'javajavascriptscript&cjavascriptolon;alert(1)';
 		$result=dol_sanitizeUrl($test);