diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 6ba4b005383..c2d1520acfe 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8232,7 +8232,7 @@ function dol_string_onlythesehtmlattributes($stringtoclean, $allowed_attributes
{
if (is_null($allowed_attributes)) {
$allowed_attributes = array(
- "allow", "allowfullscreen", "alt", "class", "contenteditable", "data-html", "frameborder", "height", "href", "id", "name", "src", "style", "target", "title", "width",
+ "allow", "allowfullscreen", "alt", "async", "class", "content", "contenteditable", "crossorigin", "data-html", "frameborder", "height", "href", "id", "name", "property", "rel", "src", "style", "target", "title", "type", "width",
// HTML5
"header", "footer", "nav", "section", "menu", "menuitem"
);
diff --git a/test/phpunit/SecurityGETPOSTTest.php b/test/phpunit/SecurityGETPOSTTest.php
index ca7797397f0..ec176634c4e 100644
--- a/test/phpunit/SecurityGETPOSTTest.php
+++ b/test/phpunit/SecurityGETPOSTTest.php
@@ -126,6 +126,7 @@ class SecurityGETPOSTTest extends CommonClassTest
$_POST["param18"] = 'abc';
$_POST["param19"] = 'XSS';
//$_POST["param19"]='XSS';
+ $_GET["param20"] = '';
@@ -415,6 +416,10 @@ class SecurityGETPOSTTest extends CommonClassTest
print __METHOD__." result=".$result."\n";
$this->assertEquals('abc', $result, 'Test anytag with a forbidden value for attribute');
+ $result = GETPOST("param20", 'restricthtmlallowlinkscript');
+ print __METHOD__." result param20 = ".$result."\n";
+ $this->assertEquals('', $result);
+
unset($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES);