diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 23bb37a8b84..d89c11a76c3 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1842,6 +1842,17 @@ function dol_escape_php($stringtoescape, $stringforquotes = 2)
 	return 'Bad parameter for stringforquotes in dol_escape_php';
 }
 
+/**
+ *  Returns text escaped for all protocols (so only alpha chars and numbers)
+ *
+ *  @param      string		$stringtoescape		String to escape
+ *  @return     string     		 				Escaped string for XML content.
+ */
+function dol_escape_all($stringtoescape)
+{
+	return preg_replace('/[^a-z0-9_]/i', '', $stringtoescape);
+}
+
 /**
  *  Returns text escaped for inclusion into a XML string
  *
diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php
index 37d8cf0f605..b6de9bb3d9a 100644
--- a/htdocs/fourn/commande/list.php
+++ b/htdocs/fourn/commande/list.php
@@ -1836,7 +1836,7 @@ if ($resql) {
 			// Alias
 			if (!empty($arrayfields['s.name_alias']['checked'])) {
 				print '<td class="tdoverflowmax150" title="'.dol_escape_htmltag($obj->alias).'">';
-				print dol_escape_all($obj->alias);
+				print dol_escape_htmltag($obj->alias);
 				print '</td>'."\n";
 				if (!$i) {
 					$totalarray['nbfield']++;