From c0d00a859f1f9883c85abdeb1d22055ab798dee6 Mon Sep 17 00:00:00 2001
From: John BOTELLA <john.botella@atm-consulting.fr>
Date: Wed, 1 Dec 2021 16:59:30 +0100
Subject: [PATCH] use dol_escape_htmltag

---
 htdocs/core/class/html.formsetup.class.php | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/htdocs/core/class/html.formsetup.class.php b/htdocs/core/class/html.formsetup.class.php
index 13dd3a8694c..1778b46995e 100644
--- a/htdocs/core/class/html.formsetup.class.php
+++ b/htdocs/core/class/html.formsetup.class.php
@@ -103,17 +103,6 @@ class FormSetup
 		}
 	}
 
-	/**
-	 * a quick method to sanitize html attributes
-	 * @param string $var the string to sanitize
-	 * @return string
-	 */
-	static public function sanitizeHtmlAttribute($var)
-	{
-		$var = preg_replace("/\r|\n/", "", $var);
-		return htmlspecialchars($var, ENT_QUOTES);
-	}
-
 	/**
 	 * Generate an attributes string form an input array
 	 * @param array $attributes an array of attributes keys and values,
@@ -127,7 +116,7 @@ class FormSetup
 				if (is_array($value) || is_object($value)) {
 					continue;
 				}
-				$Aattr[] = $attribute.'="'.self::sanitizeHtmlAttribute($value).'"';
+				$Aattr[] = $attribute.'="'.dol_escape_htmltag($value).'"';
 			}
 		}
 
@@ -164,7 +153,7 @@ class FormSetup
 				// generate hidden values from $this->formHiddenInputs
 				if (!empty($this->formHiddenInputs) && is_array($this->formHiddenInputs)) {
 					foreach ($this->formHiddenInputs as $hiddenKey => $hiddenValue) {
-						$out.= '<input type="hidden" name="'.self::sanitizeHtmlAttribute($hiddenKey).'" value="' . self::sanitizeHtmlAttribute($hiddenValue) . '">';
+						$out.= '<input type="hidden" name="'.dol_escape_htmltag($hiddenKey).'" value="' . dol_escape_htmltag($hiddenValue) . '">';
 					}
 				}
 			}