diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index a656c34ca79..042a1f219cd 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -3734,7 +3734,7 @@ class Commande extends CommonOrder
 
 			$target_value=array('_self', '_blank', '_parent', '_top');
 			if (in_array($target, $target_value)) {
-				$linkclose .= ' target="'.$target.'"';
+				$linkclose .= ' target="'.dol_escape_htmltag($target).'"';
 			}
 		}