diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index d7c5a3bf49b..0bbdc36f548 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -71,65 +71,6 @@ if (GETPOST("menu_handler")) {
  * Actions
  */
 
-if ($action == 'update') {
-	if (!$cancel) {
-		$leftmenu = ''; $mainmenu = '';
-		if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) {
-			$tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml'));
-			foreach ($tmp as $s) {
-				if (preg_match('/fk_mainmenu=/', $s)) {
-					$mainmenu = preg_replace('/fk_mainmenu=/', '', $s);
-				}
-				if (preg_match('/fk_leftmenu=/', $s)) {
-					$leftmenu = preg_replace('/fk_leftmenu=/', '', $s);
-				}
-			}
-		}
-
-		$menu = new Menubase($db);
-		$result = $menu->fetch(GETPOST('menuId', 'int'));
-		if ($result > 0) {
-			$menu->title = (string) GETPOST('titre', 'alphanohtml');
-			$menu->leftmenu = (string) GETPOST('leftmenu', 'aZ09');
-			$menu->url = (string) GETPOST('url', 'alphanohtml');
-			$menu->langs = (string) GETPOST('langs', 'alphanohtml');
-			$menu->position = (int) GETPOST('position', 'int');
-			$menu->enabled = (string) GETPOST('enabled', 'alphanohtml');
-			$menu->perms = (string) GETPOST('perms', 'alphanohtml');
-			$menu->target = (string) GETPOST('target', 'alphanohtml');
-			$menu->user = (string) GETPOST('user', 'alphanohtml');
-			$menu->mainmenu = (string) GETPOST('propertymainmenu', 'alphanohtml');
-			if (is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) {
-				$menu->fk_menu = (int) GETPOST('menuIdParent', 'alphanohtml');
-			} else {
-				if (GETPOST('type', 'alphanohtml') == 'top') {
-					$menu->fk_menu = 0;
-				} else {
-					$menu->fk_menu = -1;
-				}
-				$menu->fk_mainmenu = $mainmenu;
-				$menu->fk_leftmenu = $leftmenu;
-			}
-
-			$result = $menu->update($user);
-			if ($result > 0) {
-				setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
-			} else {
-				setEventMessages($menu->error, $menu->errors, 'errors');
-			}
-		} else {
-			setEventMessages($menu->error, $menu->errors, 'errors');
-		}
-		$action = "edit";
-
-		header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler);
-		exit;
-	} else {
-		header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler);
-		exit;
-	}
-}
-
 if ($action == 'add') {
 	if ($cancel) {
 		header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler);
@@ -138,8 +79,8 @@ if ($action == 'add') {
 
 	$leftmenu = '';
 	$mainmenu = '';
-	if (GETPOST('menuId', 'alphanohtml', 3) && !is_numeric(GETPOST('menuId', 'alphanohtml', 3))) {
-		$tmp = explode('&', GETPOST('menuId', 'alphanohtml', 3));
+	if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) {
+		$tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml'));
 		foreach ($tmp as $s) {
 			if (preg_match('/fk_mainmenu=/', $s)) {
 				$mainmenu = preg_replace('/fk_mainmenu=/', '', $s);
@@ -173,12 +114,12 @@ if ($action == 'add') {
 		$action = 'create';
 		$error++;
 	}
-	if (!$error && GETPOST('menuId', 'alphanohtml', 3) && GETPOST('type') == 'top') {
+	if (!$error && GETPOST('menuIdParent', 'alphanohtml') && GETPOST('type') == 'top') {
 		setEventMessages($langs->trans("ErrorTopMenuMustHaveAParentWithId0"), null, 'errors');
 		$action = 'create';
 		$error++;
 	}
-	if (!$error && !GETPOST('menuId', 'alphanohtml', 3) && GETPOST('type') == 'left') {
+	if (!$error && !GETPOST('menuIdParent', 'alphanohtml') && GETPOST('type') == 'left') {
 		setEventMessages($langs->trans("ErrorLeftMenuMustHaveAParentId"), null, 'errors');
 		$action = 'create';
 		$error++;
@@ -189,6 +130,7 @@ if ($action == 'add') {
 		$menu->menu_handler = preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09'));
 		$menu->type = (string) GETPOST('type', 'alphanohtml');
 		$menu->title = (string) GETPOST('titre', 'alphanohtml');
+		$menu->prefix = (string) GETPOST('picto', 'restricthtmlallowclass');
 		$menu->url = (string) GETPOST('url', 'alphanohtml');
 		$menu->langs = (string) GETPOST('langs', 'alphanohtml');
 		$menu->position = (int) GETPOST('position', 'int');
@@ -197,8 +139,8 @@ if ($action == 'add') {
 		$menu->target = (string) GETPOST('target', 'alphanohtml');
 		$menu->user = (string) GETPOST('user', 'alphanohtml');
 		$menu->mainmenu = (string) GETPOST('propertymainmenu', 'alphanohtml');
-		if (is_numeric(GETPOST('menuId', 'alphanohtml', 3))) {
-			$menu->fk_menu = (int) GETPOST('menuId', 'alphanohtml', 3);
+		if (is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) {
+			$menu->fk_menu = (int) GETPOST('menuIdParent', 'alphanohtml');
 		} else {
 			if (GETPOST('type', 'alphanohtml') == 'top') {
 				$menu->fk_menu = 0;
@@ -220,6 +162,78 @@ if ($action == 'add') {
 	}
 }
 
+if ($action == 'update') {
+	if (!$cancel) {
+		$leftmenu = ''; $mainmenu = '';
+		if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) {
+			$tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml'));
+			foreach ($tmp as $s) {
+				if (preg_match('/fk_mainmenu=/', $s)) {
+					$mainmenu = preg_replace('/fk_mainmenu=/', '', $s);
+				}
+				if (preg_match('/fk_leftmenu=/', $s)) {
+					$leftmenu = preg_replace('/fk_leftmenu=/', '', $s);
+				}
+			}
+		}
+
+		$error = 0;
+		if (!$error && !GETPOST('url')) {
+			setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("URL")), null, 'errors');
+			$action = 'create';
+			$error++;
+		}
+
+		if (!$error) {
+			$menu = new Menubase($db);
+			$result = $menu->fetch(GETPOST('menuId', 'int'));
+			if ($result > 0) {
+				$menu->title = (string) GETPOST('titre', 'alphanohtml');
+				$menu->prefix = (string) GETPOST('picto', 'restricthtmlallowclass');
+				$menu->leftmenu = (string) GETPOST('leftmenu', 'aZ09');
+				$menu->url = (string) GETPOST('url', 'alphanohtml');
+				$menu->langs = (string) GETPOST('langs', 'alphanohtml');
+				$menu->position = (int) GETPOST('position', 'int');
+				$menu->enabled = (string) GETPOST('enabled', 'alphanohtml');
+				$menu->perms = (string) GETPOST('perms', 'alphanohtml');
+				$menu->target = (string) GETPOST('target', 'alphanohtml');
+				$menu->user = (string) GETPOST('user', 'alphanohtml');
+				$menu->mainmenu = (string) GETPOST('propertymainmenu', 'alphanohtml');
+				if (is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) {
+					$menu->fk_menu = (int) GETPOST('menuIdParent', 'alphanohtml');
+				} else {
+					if (GETPOST('type', 'alphanohtml') == 'top') {
+						$menu->fk_menu = 0;
+					} else {
+						$menu->fk_menu = -1;
+					}
+					$menu->fk_mainmenu = $mainmenu;
+					$menu->fk_leftmenu = $leftmenu;
+				}
+
+				$result = $menu->update($user);
+				if ($result > 0) {
+					setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
+				} else {
+					setEventMessages($menu->error, $menu->errors, 'errors');
+				}
+			} else {
+				setEventMessages($menu->error, $menu->errors, 'errors');
+			}
+
+			$action = "edit";
+
+			header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler);
+			exit;
+		} else {
+			$action = 'edit';
+		}
+	} else {
+		header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler);
+		exit;
+	}
+}
+
 
 
 /*
@@ -239,14 +253,14 @@ if ($action == 'create') {
     	{
     		if (jQuery("#topleft").val() == \'top\')
     		{
-				jQuery("#menuId").prop("disabled", true);
-	    		jQuery("#menuId").val(\'\');
+				jQuery("#menuIdParent").prop("disabled", true);
+	    		jQuery("#menuIdParent").val(\'\');
 				jQuery("#propertymainmenu").removeAttr("disabled");
 	    		jQuery("#propertymainmenu").val(\'\');
 			}
     		if (jQuery("#topleft").val() == \'left\')
     		{
-				jQuery("#menuId").removeAttr("disabled");
+				jQuery("#menuIdParent").removeAttr("disabled");
 				jQuery("#propertymainmenu").prop("disabled", true);
     		}
     	}
@@ -275,7 +289,9 @@ if ($action == 'create') {
 	$parent_level = '';
 
 	if (GETPOST('menuId', 'int')) {
-		$sql = "SELECT m.rowid, m.mainmenu, m.leftmenu, m.level, m.langs FROM ".MAIN_DB_PREFIX."menu as m WHERE m.rowid = ".GETPOST('menuId', 'int');
+		$sql = "SELECT m.rowid, m.mainmenu, m.leftmenu, m.level, m.langs";
+		$sql .= " FROM ".MAIN_DB_PREFIX."menu as m";
+		$sql .= " WHERE m.rowid = ".((int) GETPOST('menuId', 'int'));
 		$res = $db->query($sql);
 		if ($res) {
 			while ($menu = $db->fetch_array($res)) {
@@ -331,9 +347,9 @@ if ($action == 'create') {
 	// MenuId Parent
 	print '<tr><td class="fieldrequired">'.$langs->trans('MenuIdParent').'</td>';
 	if ($parent_rowid) {
-		print '<td>'.$parent_rowid.'<input type="hidden" name="menuId" value="'.$parent_rowid.'"></td>';
+		print '<td>'.$parent_rowid.'<input type="hidden" name="menuIdParent" value="'.$parent_rowid.'"></td>';
 	} else {
-		print '<td><input type="text" class="minwidth300" id="menuId" name="menuId" value="'.(GETPOSTISSET("menuId") ? GETPOST("menuId", 'int') : '').'"></td>';
+		print '<td><input type="text" class="minwidth300" id="menuIdParent" name="menuIdParent" value="'.(GETPOSTISSET("menuIdParent") ? GETPOST("menuIdParent", 'alphanohtml') : '').'"></td>';
 	}
 	print '<td>'.$langs->trans('DetailMenuIdParent');
 	print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def';
@@ -343,17 +359,21 @@ if ($action == 'create') {
 	print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td>';
 	print '<td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag(GETPOST("titre", 'alphanohtml')).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
 
+	// Picto
+	print '<tr><td class="fieldrequired">'.$langs->trans('Image').'</td>';
+	print '<td><input type="text" class="minwidth300" name="picto" value="'.dol_escape_htmltag(GETPOST("picto", 'alphanohtmlallowclass')).'"></td><td>'.$langs->trans('Example').': fa-global</td></tr>';
+
 	// URL
 	print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td>';
-	print '<td><input type="text" class="minwidth500" name="url" value="'.GETPOST("url", 'alphanohtml').'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
+	print '<td><input type="text" class="minwidth500" name="url" value="'.dol_escape_htmltag(GETPOST("url", 'alphanohtml')).'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
 
 	// Langs
 	print '<tr><td>'.$langs->trans('LangFile').'</td>';
-	print '<td><input type="text" class="minwidth300" name="langs" value="'.$parent_langs.'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
+	print '<td><input type="text" class="minwidth300" name="langs" value="'.dol_escape_htmltag($parent_langs).'"></td><td>'.$langs->trans('DetailLangs').'</td></tr>';
 
 	// Position
 	print '<tr><td>'.$langs->trans('Position').'</td>';
-	print '<td><input type="text" class="width100" name="position" value="'.dol_escape_htmltag(GETPOSTISSET("position") ? GETPOST("position", 'int') : 100).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
+	print '<td><input type="text" class="width100" name="position" value="'.((int) (GETPOSTISSET("position") ? GETPOSTINT("position") : 100)).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
 
 	// Enabled
 	print '<tr><td>'.$langs->trans('Enabled').'</td>';
@@ -383,7 +403,8 @@ if ($action == 'create') {
 	print load_fiche_titre($langs->trans("ModifMenu"), '', 'title_setup');
 	print '<br>';
 
-	print '<form action="./edit.php?action=update" method="POST" name="formmenuedit">';
+	print '<form action="./edit.php" method="POST" name="formmenuedit">';
+	print '<input type="hidden" name="action" value="update">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
 	print '<input type="hidden" name="handler_origine" value="'.$menu_handler.'">';
 	print '<input type="hidden" name="menuId" value="'.GETPOST('menuId', 'int').'">';
@@ -434,7 +455,7 @@ if ($action == 'create') {
 		 }
 		 else
 		 {*/
-		print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alphanohtml') ?GETPOST("propertymainmenu", 'alphanohtml') : $menu->mainmenu).'"></td>';
+		print '<td><input type="text" class="minwidth300" id="propertymainmenu" name="propertymainmenu" value="'.(GETPOST("propertymainmenu", 'alphanohtml') ? GETPOST("propertymainmenu", 'alphanohtml') : $menu->mainmenu).'"></td>';
 		//}
 		print '<td>';
 		print $langs->trans("Example").': mytopmenukey';
@@ -451,7 +472,7 @@ if ($action == 'create') {
 	if ($menu->fk_leftmenu) {
 		$valtouse .= '&fk_leftmenu='.$menu->fk_leftmenu;
 	}
-	print '<td><input type="text" name="menuIdParent" value="'.$valtouse.'" class="minwidth300"></td>';
+	print '<td><input type="text" name="menuIdParent" value="'.dol_escape_htmltag(GETPOSTISSET('menuIdParent') ? GETPOST('menuIdParent') : $valtouse).'" class="minwidth300"></td>';
 	print '<td>'.$langs->trans('DetailMenuIdParent');
 	print ', <span class="opacitymedium">'.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def</span>';
 	print '</td></tr>';
@@ -463,9 +484,13 @@ if ($action == 'create') {
 	print '<tr><td class="fieldrequired">'.$langs->trans('Title').'</td>';
 	print '<td><input type="text" class="minwidth300" name="titre" value="'.dol_escape_htmltag($menu->title).'"></td><td>'.$langs->trans('DetailTitre').'</td></tr>';
 
-	// Url
+	// URL
 	print '<tr><td class="fieldrequired">'.$langs->trans('URL').'</td>';
-	print '<td><input type="text" class="quatrevingtpercent" name="url" value="'.$menu->url.'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
+	print '<td><input type="text" class="quatrevingtpercent" name="url" value="'.dol_escape_htmltag($menu->url).'"></td><td>'.$langs->trans('DetailUrl').'</td></tr>';
+
+	// Picto
+	print '<tr><td class="fieldrequired">'.$langs->trans('Image').'</td>';
+	print '<td><input type="text" class="minwidth300" name="picto" value="'.dol_escape_htmltag($menu->prefix).'"></td><td>'.$langs->trans('Example').': fa-global</td></tr>';
 
 	// Langs
 	print '<tr><td>'.$langs->trans('LangFile').'</td>';
@@ -473,7 +498,7 @@ if ($action == 'create') {
 
 	// Position
 	print '<tr><td>'.$langs->trans('Position').'</td>';
-	print '<td><input type="text" class="minwidth100" name="position" value="'.$menu->position.'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
+	print '<td><input type="text" class="minwidth100" name="position" value="'.((int) $menu->position).'"></td><td>'.$langs->trans('DetailPosition').'</td></tr>';
 
 	// Enabled
 	print '<tr><td>'.$langs->trans('Enabled').'</td>';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 5b47c3d31b6..5e1af04dc5f 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -955,8 +955,6 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options =
  */
 function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options = null)
 {
-	global $conf;
-
 	// TODO : use class "Validate" to perform tests (and add missing tests) if needed for factorize
 	// Check is done after replacement
 	switch ($check) {
@@ -1044,8 +1042,9 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
 		case 'nohtml':		// No html
 			$out = dol_string_nohtmltag($out, 0);
 			break;
-		case 'restricthtml':		// Recommended for most html textarea
 		case 'restricthtmlnolink':
+		case 'restricthtml':		// Recommended for most html textarea
+		case 'restricthtmlallowclass':
 		case 'restricthtmlallowunvalid':
 			$out = dol_htmlwithnojs($out, 1, $check);
 			break;
@@ -7356,7 +7355,7 @@ function dol_nl2br($stringtoencode, $nl2brmode = 0, $forxml = false)
  *
  * @param	string	$stringtoencode				String to encode
  * @param	int     $nouseofiframesandbox		Allow use of option MAIN_SECURITY_USE_SANDBOX_FOR_HTMLWITHNOJS for html sanitizing
- * @param	string	$check						'restricthtmlnolink' or 'restricthtml' or 'restricthtmlallowunvalid'
+ * @param	string	$check						'restricthtmlnolink' or 'restricthtml' or 'restricthtmlallowclass' or 'restricthtmlallowunvalid'
  * @return	string								HTML sanitized
  */
 function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = 'restricthtml')
@@ -7415,7 +7414,7 @@ function dol_htmlwithnojs($stringtoencode, $nouseofiframesandbox = 0, $check = '
 			$out = preg_replace('/&#x?[0-9]+/i', '', $out);	// For example if we have j&#x61vascript with an entities without the ; to hide the 'a' of 'javascript'.
 
 			// Keep only some html tags and remove also some 'javascript:' strings
-			$out = dol_string_onlythesehtmltags($out, 0, 1, 1);
+			$out = dol_string_onlythesehtmltags($out, 0, ($check == 'restricthtmlallowclass' ? 0 : 1), 1);
 
 			// We should also exclude non expected HTML attributes and clean content of some attributes (keep only alt=, title=...).
 			if (!empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)) {
diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index 5e586cecd99..0194c45b457 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -986,7 +986,14 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM
 					} else {
 						print '<span class="vmenu">';
 					}
-					print ($menu_array[$i]['prefix'] ? $menu_array[$i]['prefix'] : '').$menu_array[$i]['titre'];
+					if (!empty($menu_array[$i]['prefix'])) {
+						if (preg_match('/^fa-[a-zA-Z0-9-_]+$/', $menu_array[$i]['prefix'])) {
+							print '<span class="fa '.$menu_array[$i]['prefix'].' paddingright pictofixedwidth"></span>';
+						} else {
+							print $menu_array[$i]['prefix'];
+						}
+					}
+					print $menu_array[$i]['titre'];
 					if ($shorturlwithoutparam) {
 						print '</a>';
 					} else {
@@ -997,7 +1004,10 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM
 				} elseif ($showmenu) {                 // Not enabled but visible (so greyed)
 					print '<div class="menu_titre">'.$tabstring;
 					print '<span class="vmenudisabled">';
-					print ($menu_array[$i]['prefix'] ? $menu_array[$i]['prefix'] : '').$menu_array[$i]['titre'];
+					if (!empty($menu_array[$i]['prefix'])) {
+						print $menu_array[$i]['prefix'];
+					}
+					print $menu_array[$i]['titre'];
 					print '</span>';
 					print '</div>'."\n";
 					$lastlevel0 = 'greyed';