diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php
index 172c49abeb8..c6af92ffbb8 100644
--- a/htdocs/admin/tools/listevents.php
+++ b/htdocs/admin/tools/listevents.php
@@ -1,8 +1,8 @@
 <?php
-/* Copyright (C) 2004-2017  Laurent Destailleur	<eldy@users.sourceforge.net>
+/* Copyright (C) 2004-2020  Laurent Destailleur	<eldy@users.sourceforge.net>
  * Copyright (C) 2005-2012  Regis Houssin		<regis.houssin@inodbox.com>
  * Copyright (C) 2015       Bahfir Abbes		<bafbes@gmail.com>
- * Copyright (C) 2018       Frédéric France         <frederic.france@netlogic.fr>
+ * Copyright (C) 2018       Frédéric France     <frederic.france@netlogic.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 248beb0959d..879e6ac8b61 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -2694,7 +2694,15 @@ function dol_print_ip($ip, $mode = 0)
  */
 function getUserRemoteIP()
 {
-	$ip = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? (empty($_SERVER['HTTP_CLIENT_IP']) ? (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']) : $_SERVER['HTTP_CLIENT_IP']) : $_SERVER['HTTP_X_FORWARDED_FOR'];
+	if (empty($_SERVER['HTTP_X_FORWARDED_FOR']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_X_FORWARDED_FOR'])) {
+		if (empty($_SERVER['HTTP_CLIENT_IP']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_CLIENT_IP'])) {
+			$ip = (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']);
+		} else {
+			$ip = $_SERVER['HTTP_CLIENT_IP']; // value is clean here
+		}
+	} else {
+		$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];	// value is clean here
+	}
 	return $ip;
 }
 
diff --git a/test/phpunit/FunctionsLibTest.php b/test/phpunit/FunctionsLibTest.php
index e3dabff6df9..d113cde8035 100644
--- a/test/phpunit/FunctionsLibTest.php
+++ b/test/phpunit/FunctionsLibTest.php
@@ -1312,4 +1312,32 @@ class FunctionsLibTest extends PHPUnit\Framework\TestCase
 
     	return true;
     }
+
+
+    /**
+     * testGetUserRemoteIP
+     *
+     * @return boolean
+     */
+    public function testGetUserRemoteIP()
+    {
+    	global $conf, $langs;
+
+    	$_SERVER['HTTP_X_FORWARDED_FOR']='1.2.3.4';
+    	$_SERVER['HTTP_CLIENT_IP']='5.6.7.8';
+    	$result = getUserRemoteIP();
+    	$this->assertEquals($result, '1.2.3.4');
+
+    	$_SERVER['HTTP_X_FORWARDED_FOR']='1.2.3.4<corrupted>';
+    	$_SERVER['HTTP_CLIENT_IP']='5.6.7.8';
+    	$result = getUserRemoteIP();
+    	$this->assertEquals($result, '5.6.7.8');
+
+    	$_SERVER['HTTP_X_FORWARDED_FOR']='[1:2:3:4]';
+    	$_SERVER['HTTP_CLIENT_IP']='5.6.7.8';
+    	$result = getUserRemoteIP();
+    	$this->assertEquals($result, '[1:2:3:4]');
+
+    	return true;
+    }
 }