diff --git a/htdocs/core/actions_setnotes.inc.php b/htdocs/core/actions_setnotes.inc.php
index b9473de1b31..425204e00a4 100644
--- a/htdocs/core/actions_setnotes.inc.php
+++ b/htdocs/core/actions_setnotes.inc.php
@@ -33,7 +33,7 @@ if ($action == 'setnote_public' && ! empty($permissionnote) && ! GETPOST('cancel
 	if (empty($action) || ! is_object($object) || empty($id)) dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before');
 	if (empty($object->id)) $object->fetch($id);	// Fetch may not be already done
 
-	$result_update=$object->update_note(dol_html_entity_decode(GETPOST('note_public', 'none'), ENT_QUOTES), '_public');
+	$result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'none'), ENT_QUOTES, 'UTF-8', 1), '_public');
 
 	if ($result_update < 0) setEventMessages($object->error, $object->errors, 'errors');
 	elseif (in_array($object->table_element, array('supplier_proposal', 'propal', 'commande_fournisseur', 'commande', 'facture_fourn', 'facture')))
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 0b42fc056b3..bc69d809e46 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -213,7 +213,7 @@ class Form
 					$valuetoshow = price2num($editvalue ? $editvalue : $value);
 					$ret .= '<input type="text" id="'.$htmlname.'" name="'.$htmlname.'" value="'.($valuetoshow != '' ?price($valuetoshow) : '').'"'.($tmp[1] ? ' size="'.$tmp[1].'"' : '').'>';
 				}
-				elseif (preg_match('/^text/', $typeofdata) || preg_match('/^note/', $typeofdata))
+				elseif (preg_match('/^text/', $typeofdata) || preg_match('/^note/', $typeofdata))	// if wysiwyg is enabled $typeofdata = 'ckeditor'
 				{
 					$tmp = explode(':', $typeofdata);
 					$cols = $tmp[2];
@@ -225,8 +225,10 @@ class Form
 					}
 
 					$valuetoshow = ($editvalue ? $editvalue : $value);
-
 					$ret .= '<textarea id="'.$htmlname.'" name="'.$htmlname.'" wrap="soft" rows="'.($tmp[1] ? $tmp[1] : '20').'"'.($cols ? ' cols="'.$cols.'"' : 'class="quatrevingtpercent"').$morealt.'">';
+					// textarea convert automatically entities chars into simple chars.
+					// So we convert & into &amp; so a string like 'a &lt; <b>b</b><br>é<br>&lt;script&gt;alert('X');&lt;script&gt;' stay a correct html and is not converted by textarea component when wysiwig is off.
+					$valuetoshow = str_replace('&', '&amp;', $valuetoshow);
 					$ret .= dol_string_neverthesehtmltags($valuetoshow, array('textarea'));
 					$ret .= '</textarea>';
 				}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 4e82d61c148..b916f6853f5 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -5701,14 +5701,19 @@ function dol_htmlcleanlastbr($stringtodecode)
 /**
  * Replace html_entity_decode functions to manage errors
  *
- * @param   string	$a		Operand a
- * @param   string	$b		Operand b (ENT_QUOTES=convert simple and double quotes)
- * @param   string	$c		Operand c
- * @return  string			String decoded
+ * @param   string	$a					Operand a
+ * @param   string	$b					Operand b (ENT_QUOTES=convert simple and double quotes)
+ * @param   string	$c					Operand c
+ * @param	string	$keepsomeentities	Entities but &amp;, <, >, " are not converted.
+ * @return  string						String decoded
  */
-function dol_html_entity_decode($a, $b, $c = 'UTF-8')
+function dol_html_entity_decode($a, $b, $c = 'UTF-8', $keepsomeentities = 0)
 {
-	return html_entity_decode($a, $b, $c);
+	$newstring = $a;
+	if ($keepsomeentities) $newstring = strtr($newstring, array('&amp;'=>'__andamp__', '&lt;'=>'__andlt__', '&gt;'=>'__andgt__', '"'=>'__dquot__'));
+	$newstring = html_entity_decode($newstring, $b, $c);
+	if ($keepsomeentities) $newstring = strtr($newstring, array('__andamp__'=>'&amp;', '__andlt__'=>'&lt;', '__andgt__'=>'&gt;', '__dquot__'=>'"'));
+	return $newstring;
 }
 
 /**