diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php
index cc25ee03b86..957b32c546e 100755
--- a/htdocs/comm/action/document.php
+++ b/htdocs/comm/action/document.php
@@ -96,7 +96,7 @@ if ( $_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 if ($_GET["action"] == 'delete')
 {
 	$upload_dir = $conf->agenda->dir_output.'/'.dol_sanitizeFileName($objectid);
-	$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+	$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 	dol_delete_file($file);
 }
 
diff --git a/htdocs/comm/propal/document.php b/htdocs/comm/propal/document.php
index 8df14b0133a..0d5cdecea3b 100644
--- a/htdocs/comm/propal/document.php
+++ b/htdocs/comm/propal/document.php
@@ -22,7 +22,7 @@
 /**
         \file       htdocs/comm/propal/document.php
         \ingroup    propale
-        \brief      Page de gestion des documents attachées à une proposition commerciale
+        \brief      Page de gestion des documents attach�es � une proposition commerciale
         \version    $Id$
 */
 
@@ -84,7 +84,7 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
             }
             else
             {
-                // Echec transfert (fichier dépassant la limite ?)
+                // Echec transfert (fichier d�passant la limite ?)
                 $mesg = '<div class="error">'.$langs->trans("ErrorFileNotUploaded").'</div>';
                 // print_r($_FILES);
             }
@@ -101,7 +101,7 @@ if ($action=='delete')
 	if ($propal->fetch($propalid))
     {
         $upload_dir = $conf->propale->dir_output . "/" . dol_sanitizeFileName($propal->ref);
-    	$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+    	$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
     	dol_delete_file($file);
         $mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
     }
@@ -142,7 +142,7 @@ if ($propalid > 0)
 		// Ref
         print '<tr><td width="30%">'.$langs->trans('Ref').'</td><td colspan="3">'.$propal->ref.'</td></tr>';
 
-        // Société
+        // Soci�t�
         print '<tr><td>'.$langs->trans('Company').'</td><td colspan="5">'.$societe->getNomUrl(1).'</td></tr>';
 
         print '<tr><td>'.$langs->trans("NbOfAttachedFiles").'</td><td colspan="3">'.sizeof($filearray).'</td></tr>';
diff --git a/htdocs/commande/document.php b/htdocs/commande/document.php
index 9bdf75885c0..d8e65ee06e3 100644
--- a/htdocs/commande/document.php
+++ b/htdocs/commande/document.php
@@ -98,7 +98,7 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 if ($action=='delete')
 {
 	$upload_dir = $conf->commande->dir_output . "/" . dol_sanitizeFileName($commande->ref);
-	$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+	$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 	dol_delete_file($file);
 	$mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
 }
diff --git a/htdocs/compta/facture/document.php b/htdocs/compta/facture/document.php
index daea34688cb..39f0c2f04ba 100644
--- a/htdocs/compta/facture/document.php
+++ b/htdocs/compta/facture/document.php
@@ -22,7 +22,7 @@
 /**
  \file       htdocs/compta/facture/document.php
  \ingroup    facture
- \brief      Page de gestion des documents attachées à une facture
+ \brief      Page de gestion des documents attach�es � une facture
  \version    $Id$
  */
 
@@ -85,7 +85,7 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 			}
 			else
 			{
-		  		// Echec transfert (fichier dépassant la limite ?)
+		  		// Echec transfert (fichier d�passant la limite ?)
 		  		$mesg = '<div class="error">'.$langs->trans("ErrorFileNotUploaded").'</div>';
 		  		// print_r($_FILES);
 			}
@@ -102,7 +102,7 @@ if ($action=='delete')
 	if ($facture->fetch($facid))
 	{
 		$upload_dir = $conf->facture->dir_output . "/" . dol_sanitizeFileName($facture->ref);
-		$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+		$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 		dol_delete_file($file);
 		$mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
 	}
@@ -143,7 +143,7 @@ if ($facid > 0)
 		// Ref
 		print '<tr><td width="30%">'.$langs->trans('Ref').'</td><td colspan="3">'.$facture->ref.'</td></tr>';
 
-		// Société
+		// Soci�t�
 		print '<tr><td>'.$langs->trans('Company').'</td><td colspan="3">'.$societe->getNomUrl(1).'</td></tr>';
 
 		print '<tr><td>'.$langs->trans("NbOfAttachedFiles").'</td><td colspan="3">'.sizeof($filearray).'</td></tr>';
diff --git a/htdocs/contrat/document.php b/htdocs/contrat/document.php
index c53b0a0b254..2acc56f6975 100644
--- a/htdocs/contrat/document.php
+++ b/htdocs/contrat/document.php
@@ -73,7 +73,7 @@ $modulepart='contract';
 if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 {
     /*
-     * Creation répertoire si n'existe pas
+     * Creation r�pertoire si n'existe pas
      */
     if (! is_dir($upload_dir)) create_exdir($upload_dir);
 
@@ -86,7 +86,7 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
         }
         else
         {
-            // Echec transfert (fichier dépassant la limite ?)
+            // Echec transfert (fichier d�passant la limite ?)
             $mesg = '<div class="error">'.$langs->trans("ErrorFileNotUploaded").'</div>';
             // print_r($_FILES);
         }
@@ -115,7 +115,7 @@ if ($contrat->id)
 
 	if ($_GET["action"] == 'delete')
 	{
-		$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+		$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 		$result=dol_delete_file($file);
 		//if ($result >= 0) $mesg=$langs->trans("FileWasRemoced");
 	}
diff --git a/htdocs/document.php b/htdocs/document.php
index 0a701647e15..f08277fb44e 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -68,7 +68,7 @@ function llxHeader() { }
 
 // Define mime type
 $type = 'application/octet-stream';
-if (! empty($_GET["type"])) $type=urldecode($_GET["type"]);
+if (! empty($_GET["type"])) $type=$_GET["type"];
 else $type=dol_mimetype($original_file);
 
 // Define attachment (attachment=true to force choice popup 'open'/'save as')
@@ -93,9 +93,9 @@ if (eregi('\.vcs$',$original_file))  	{ $attachment = true; }
 if (eregi('\.ics$',$original_file))  	{ $attachment = true; }
 if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false;
 
-
 // Suppression de la chaine de caractere ../ dans $original_file
-$original_file = str_replace("../","/", "$original_file");
+$original_file = str_replace("../","/", $original_file);
+
 // find the subdirectory name as the reference
 $refname=basename(dirname($original_file)."/");
 
diff --git a/htdocs/ecm/docdir.php b/htdocs/ecm/docdir.php
index 306de9d2260..e9b6aad92c8 100644
--- a/htdocs/ecm/docdir.php
+++ b/htdocs/ecm/docdir.php
@@ -201,7 +201,7 @@ if (! $_GET["action"] || $_GET["action"] == 'delete_section')
 	// Confirmation de la suppression d'une ligne categorie
 	if ($_GET['action'] == 'delete_section')
 	{
-		$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.urldecode($_GET["section"]), $langs->trans('DeleteSection'), $langs->trans('ConfirmDeleteSection',$ecmdir->label), 'confirm_deletesection');
+		$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.$_GET["section"], $langs->trans('DeleteSection'), $langs->trans('ConfirmDeleteSection',$ecmdir->label), 'confirm_deletesection');
 		if ($ret == 'html') print '<br>';
 	}
 
diff --git a/htdocs/ecm/docfile.php b/htdocs/ecm/docfile.php
index a0a6f7902c3..57bb94cd515 100644
--- a/htdocs/ecm/docfile.php
+++ b/htdocs/ecm/docfile.php
@@ -203,7 +203,7 @@ if (! $_GET["action"] || $_GET["action"] == 'delete_section')
 	// Confirmation de la suppression d'une ligne categorie
 	if ($_GET['action'] == 'delete_section')
 	{
-		$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.urldecode($_GET["section"]), $langs->trans('DeleteSection'), $langs->trans('ConfirmDeleteSection',$ecmdir->label), 'confirm_deletesection');
+		$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.urlencode($_GET["section"]), $langs->trans('DeleteSection'), $langs->trans('ConfirmDeleteSection',$ecmdir->label), 'confirm_deletesection');
 		if ($ret == 'html') print '<br>';
 	}
 
diff --git a/htdocs/ecm/docmine.php b/htdocs/ecm/docmine.php
index d764c27692d..40d5cda3267 100644
--- a/htdocs/ecm/docmine.php
+++ b/htdocs/ecm/docmine.php
@@ -130,7 +130,7 @@ if ( $_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 // Remove file
 if ($_POST['action'] == 'confirm_deletefile' && $_POST['confirm'] == 'yes')
 {
-  $file = $upload_dir . "/" . urldecode($_GET["urlfile"]);
+  $file = $upload_dir . "/" . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
   $result=dol_delete_file($file);
 
   $mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
@@ -341,7 +341,7 @@ if ($mesg) { print '<br>'.$mesg.'<br>'; }
 // Confirm remove file
 if ($_GET['action'] == 'delete')
 {
-	$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.$_REQUEST["section"].'&amp;urlfile='.urldecode($_GET["urlfile"]), $langs->trans('DeleteFile'), $langs->trans('ConfirmDeleteFile'), 'confirm_deletefile');
+	$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.$_REQUEST["section"].'&amp;urlfile='.urlencode($_GET["urlfile"]), $langs->trans('DeleteFile'), $langs->trans('ConfirmDeleteFile'), 'confirm_deletefile');
 	if ($ret == 'html') print '<br>';
 }
 
diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php
index 5bb3b44a948..ebe9f27f993 100644
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@@ -132,27 +132,6 @@ if ( $_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 	}
 }
 
-// Remove file
-if ($_POST['action'] == 'confirm_deletefile' && $_POST['confirm'] == 'yes')
-{
-	$result=$ecmdir->fetch($_REQUEST["section"]);
-	if (! $result > 0)
-	{
-		dol_print_error($db,$ecmdir->error);
-		exit;
-	}
-	$relativepath=$ecmdir->getRelativePath();
-	$upload_dir = $conf->ecm->dir_output.'/'.$relativepath;
-	$file = $upload_dir . "/" . urldecode($_GET["urlfile"]);
-
-	$result=dol_delete_file($file);
-
-	$mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
-
-	$result=$ecmdir->changeNbOfFiles('-');
-	$action='file_manager';
-}
-
 // Action ajout d'un produit ou service
 if ($_POST["action"] == 'add' && $user->rights->ecm->setup)
 {
@@ -173,8 +152,29 @@ if ($_POST["action"] == 'add' && $user->rights->ecm->setup)
 	}
 }
 
-// Suppression fichier
-if ($_POST['action'] == 'confirm_deletesection' && $_POST['confirm'] == 'yes')
+// Remove file
+if ($_REQUEST['action'] == 'confirm_deletefile' && $_REQUEST['confirm'] == 'yes')
+{
+	$result=$ecmdir->fetch($_REQUEST["section"]);
+	if (! $result > 0)
+	{
+		dol_print_error($db,$ecmdir->error);
+		exit;
+	}
+	$relativepath=$ecmdir->getRelativePath();
+	$upload_dir = $conf->ecm->dir_output.'/'.$relativepath;
+	$file = $upload_dir . "/" . $_REQUEST['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
+
+	$result=dol_delete_file($file);
+
+	$mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
+
+	$result=$ecmdir->changeNbOfFiles('-');
+	$action='file_manager';
+}
+
+// Remove directory
+if ($_REQUEST['action'] == 'confirm_deletesection' && $_REQUEST['confirm'] == 'yes')
 {
 	$result=$ecmdir->delete($user);
 	$mesg = '<div class="ok">'.$langs->trans("ECMSectionWasRemoved", $ecmdir->label).'</div>';
@@ -221,7 +221,7 @@ print "<br>\n";
 // Confirm remove file
 if ($_GET['action'] == 'delete')
 {
-	$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.$_REQUEST["section"].'&amp;urlfile='.urldecode($_GET["urlfile"]), $langs->trans('DeleteFile'), $langs->trans('ConfirmDeleteFile'), 'confirm_deletefile');
+	$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.$_REQUEST["section"].'&urlfile='.urlencode($_GET["urlfile"]), $langs->trans('DeleteFile'), $langs->trans('ConfirmDeleteFile'), 'confirm_deletefile','','',1);
 	if ($ret == 'html') print '<br>';
 }
 
@@ -246,7 +246,7 @@ if (empty($action) || $action == 'file_manager' || eregi('refresh',$action) || $
 	// Confirmation de la suppression d'une ligne categorie
 	if ($_GET['action'] == 'delete_section')
 	{
-		$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.urldecode($_GET["section"]), $langs->trans('DeleteSection'), $langs->trans('ConfirmDeleteSection',$ecmdir->label), 'confirm_deletesection');
+		$ret=$form->form_confirm($_SERVER["PHP_SELF"].'?section='.urlencode($_GET["section"]), $langs->trans('DeleteSection'), $langs->trans('ConfirmDeleteSection',$ecmdir->label), 'confirm_deletesection','','',1);
 		if ($ret == 'html') print '<br>';
 	}
 
diff --git a/htdocs/fichinter/document.php b/htdocs/fichinter/document.php
index 07cbbfb2a24..67fa06f4961 100644
--- a/htdocs/fichinter/document.php
+++ b/htdocs/fichinter/document.php
@@ -70,7 +70,7 @@ $modulepart='fichinter';
 if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 {
     /*
-     * Creation répertoire si n'existe pas
+     * Creation r�pertoire si n'existe pas
      */
     if (! is_dir($upload_dir)) create_exdir($upload_dir);
 
@@ -83,7 +83,7 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
         }
         else
         {
-            // Echec transfert (fichier dépassant la limite ?)
+            // Echec transfert (fichier d�passant la limite ?)
             $mesg = '<div class="error">'.$langs->trans("ErrorFileNotUploaded").'</div>';
             // print_r($_FILES);
         }
@@ -114,7 +114,7 @@ if ($object->id)
 
 	if ($_GET["action"] == 'delete')
 	{
-		$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+		$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 		$result=dol_delete_file($file);
 		//if ($result >= 0) $mesg=$langs->trans("FileWasRemoced");
 	}
diff --git a/htdocs/fourn/commande/document.php b/htdocs/fourn/commande/document.php
index dc98bc8efff..e989f8a0f38 100644
--- a/htdocs/fourn/commande/document.php
+++ b/htdocs/fourn/commande/document.php
@@ -99,7 +99,7 @@ if ($_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 if ($action=='delete')
 {
 	$upload_dir = $conf->fournisseur->dir_output . "/commande/" . dol_sanitizeFileName($commande->ref);
-	$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+	$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 	dol_delete_file($file);
 	$mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
 }
diff --git a/htdocs/fourn/facture/document.php b/htdocs/fourn/facture/document.php
index 8b0482541da..0c0b12ce6ea 100644
--- a/htdocs/fourn/facture/document.php
+++ b/htdocs/fourn/facture/document.php
@@ -98,7 +98,7 @@ if ($action=='delete')
     {
         $upload_dir = $conf->fournisseur->dir_output.'/facture/'.get_exdir($facture->id,2).$facture->id;
 
-        $file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+        $file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
     	dol_delete_file($file);
         $mesg = '<div class="ok">'.$langs->trans('FileWasRemoved').'</div>';
     }
diff --git a/htdocs/html.formfile.class.php b/htdocs/html.formfile.class.php
index 76334efd0e8..d74a08f5518 100644
--- a/htdocs/html.formfile.class.php
+++ b/htdocs/html.formfile.class.php
@@ -461,7 +461,7 @@ class FormFile
 				if ($forcedownload) print '&type=application/binary';
 				print '&file='.urlencode($relativepath.$file['name']).'">';
 				print img_mime($file['name']).' ';
-				print dol_trunc($file['name'],$maxlength,'middle');
+				print htmlentities(dol_trunc($file['name'],$maxlength,'middle'));
 				print '</a>';
 				print "</td>\n";
 				print '<td align="right">'.dol_print_size($file['size']).'</td>';
@@ -469,7 +469,7 @@ class FormFile
 				print '<td align="right">';
 				//print '&nbsp;';
 				if ($permtodelete)
-				print '<a href="'.$url.'?id='.$object->id.'&amp;section='.$_REQUEST["section"].'&amp;action=delete&urlfile='.urlencode($file['name']).'">'.img_delete().'</a>';
+				print '<a href="'.$url.'?id='.$object->id.'&section='.$_REQUEST["section"].'&action=delete&urlfile='.urlencode($file['name']).'">'.img_delete().'</a>';
 				else
 				print '&nbsp;';
 				print "</td></tr>\n";
diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index 4dcebf7fd2c..10bb9bca0ab 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -1757,7 +1757,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite)
 	// les noms de fichiers.
 	if (eregi('^\.',$src_file) || eregi('\.\.',$src_file) || eregi('[<>|]',$src_file))
 	{
-		dol_syslog("Refused to deliver file ".$src_file);
+		dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING);
 		return -1;
 	}
 
@@ -1766,14 +1766,18 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite)
 	// les noms de fichiers.
 	if (eregi('^\.',$dest_file) || eregi('\.\.',$dest_file) || eregi('[<>|]',$dest_file))
 	{
-		dol_syslog("Refused to deliver file ".$dest_file);
+		dol_syslog("Refused to deliver file ".$dest_file, LOG_WARNING);
 		return -1;
 	}
 
+	// The file functions are ISO and data are stored in UTF8 in memory.
+	$src_file_iso=utf8_decode($src_file);
+	$file_name_iso=utf8_decode($file_name);
+
 	// Check if destination file already exists
 	if (! $allowoverwrite)
 	{
-		if (file_exists($file_name))
+		if (file_exists($file_name_iso))
 		{
 			dol_syslog("Functions.lib::dol_move_uploaded_file File ".$file_name." already exists", LOG_WARNING);
 			return -2;
@@ -1781,7 +1785,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite)
 	}
 
 	// Move file
-	$return=move_uploaded_file($src_file, $file_name);
+	$return=move_uploaded_file($src_file_iso, $file_name_iso);
 	if ($return)
 	{
 		if (! empty($conf->global->MAIN_UMASK)) @chmod($file_name, octdec($conf->global->MAIN_UMASK));
diff --git a/htdocs/product/document.php b/htdocs/product/document.php
index 4cf75df3f07..22a00e95b13 100755
--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@@ -116,7 +116,7 @@ if ($product->id)
 
 	if ($action=='delete')
 	{
-		$file = $upload_dir . '/' . urldecode($_GET['urlfile']);
+		$file = $upload_dir . '/' . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 		$result=dol_delete_file($file);
 		//if ($result >= 0) $mesg=$langs->trans("FileWasRemoced");
 	}
diff --git a/htdocs/societe/document.php b/htdocs/societe/document.php
index 0f1e3efc682..f36fa3a891e 100644
--- a/htdocs/societe/document.php
+++ b/htdocs/societe/document.php
@@ -100,7 +100,7 @@ if ( $_POST["sendit"] && ! empty($conf->global->MAIN_UPLOAD_DOC))
 // Suppression fichier
 if ($_REQUEST['action'] == 'confirm_deletefile' && $_REQUEST['confirm'] == 'yes')
 {
-	$file = $upload_dir . "/" . urldecode($_GET["urlfile"]);
+	$file = $upload_dir . "/" . $_GET['urlfile'];	// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
 	dol_delete_file($file);
 	$mesg = '<div class="ok">'.$langs->trans("FileWasRemoved").'</div>';
 }
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 16b6efda199..7d818d74200 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -26,9 +26,11 @@
 		\version    $Id$
 */
 
-$original_file = isset($_GET["file"])?urldecode($_GET["file"]):'';
-$modulepart = urldecode($_GET["modulepart"]);
-$type = isset($_GET["type"]) ? urldecode($_GET["type"]) : '';
+// Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP).
+$action = isset($_GET["action"])?$_GET["action"]:'';
+$original_file = isset($_GET["file"])?$_GET["file"]:'';
+$modulepart = isset($_GET["modulepart"])?$_GET["modulepart"]:'';
+$urlsource = isset($_GET["urlsource"])?$_GET["urlsource"]:'';
 
 // Define if we need master or master+main
 $needmasteronly=false;
@@ -59,11 +61,13 @@ else
 function llxHeader() { }
 
 
+// Define mime type
+$type = 'application/octet-stream';
+if (! empty($_GET["type"])) $type=$_GET["type"];
+else $type=dol_mimetype($original_file);
 
-// Protection, on interdit les .. dans les chemins
-$original_file = eregi_replace('\.\.','',$original_file);
-
-
+// Suppression de la chaine de caractere ../ dans $original_file
+$original_file = str_replace("../","/", $original_file);
 
 $accessallowed=0;
 if ($modulepart)