diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php
index 9c6020bebdc..ea049c46e71 100644
--- a/htdocs/core/boxes/box_task.php
+++ b/htdocs/core/boxes/box_task.php
@@ -94,7 +94,7 @@ class box_task extends ModeleBoxes
         if (in_array(GETPOST($cookie_name), array('all', 'im_project_contact', 'im_task_contact'))) {
             $filterValue = GETPOST($cookie_name);
         } elseif (!empty($_COOKIE[$cookie_name])) {
-            $filterValue = $_COOKIE[$cookie_name];
+            $filterValue = preg_replace('/[^a-z_]/', '', $_COOKIE[$cookie_name]);	// Clean cookie from evil data
         }
 
         if ($filterValue == 'im_task_contact') {
diff --git a/htdocs/core/class/html.formmargin.class.php b/htdocs/core/class/html.formmargin.class.php
index 5e18bb20782..7a6c3d9c13a 100644
--- a/htdocs/core/class/html.formmargin.class.php
+++ b/htdocs/core/class/html.formmargin.class.php
@@ -204,7 +204,7 @@ class FormMargin
 		if (!empty($conf->global->MARGIN_ADD_SHOWHIDE_BUTTON))	// TODO Warning this feature rely on an external js file that may be removed. Using native js function document.cookie should be better
 		{
 			print $langs->trans('ShowMarginInfos').' : ';
-	        $hidemargininfos = $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW'];
+	        $hidemargininfos = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']);	// Clean cookie
 	    	print '<span id="showMarginInfos" class="linkobject '.(!empty($hidemargininfos) ? '' : 'hideobject').'">'.img_picto($langs->trans("Disabled"), 'switch_off').'</span>';
 	    	print '<span id="hideMarginInfos" class="linkobject '.(!empty($hidemargininfos) ? 'hideobject' : '').'">'.img_picto($langs->trans("Enabled"), 'switch_on').'</span>';
 
diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php
index 31d4d45723f..9d4cc3f7797 100644
--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@@ -68,7 +68,7 @@ if ($pageid > 0)
 {
 	$websitepage->fetch($pageid);
 
-	$weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : $_COOKIE['weblangs-shortcode']));
+	$weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode'])));
 	$pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang);
 
 	if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status)))
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d97f4814dbc..3879f6c6978 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -521,7 +521,7 @@ if (!defined('NOLOGIN'))
 
 		$allowedmethodtopostusername = 2;
 		if (defined('MAIN_AUTHENTICATION_POST_METHOD')) $allowedmethodtopostusername = constant('MAIN_AUTHENTICATION_POST_METHOD');
-		$usertotest = (!empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : GETPOST("username", "alpha", $allowedmethodtopostusername));
+		$usertotest = (!empty($_COOKIE['login_dolibarr']) ? preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['login_dolibarr']) : GETPOST("username", "alpha", $allowedmethodtopostusername));
 		$passwordtotest = GETPOST('password', 'none', $allowedmethodtopostusername);
 		$entitytotest = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1));
 
diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php
index 29b11dbb8ad..3376023b8b6 100644
--- a/htdocs/takepos/index.php
+++ b/htdocs/takepos/index.php
@@ -48,7 +48,7 @@ $setterminal = GETPOST('setterminal', 'int');
 if ($_SESSION["takeposterminal"] == "")
 {
 	if ($conf->global->TAKEPOS_NUM_TERMINALS == "1") $_SESSION["takeposterminal"] = 1; // Use terminal 1 if there is only 1 terminal
-	elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = $_COOKIE["takeposterminal"]; // Restore takeposterminal from previous session
+	elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE["takeposterminal"]); // Restore takeposterminal from previous session
 }
 
 if ($setterminal > 0)
@@ -544,7 +544,7 @@ function Search2(keyCodeForEnter) {
 				if ($('#search').val() == data[0]['barcode'] && 'thirdparty' == data[0]['object']) {
 					console.log("There is only 1 answer with barcode matching the search, so we change the thirdparty "+data[0]['rowid']);
 					ChangeThirdparty(data[0]['rowid']);
-				} 
+				}
 				else if ($('#search').val() == data[0]['barcode'] && 'product' == data[0]['object']) {
 					console.log("There is only 1 answer with barcode matching the search, so we add the product in basket");
 					ClickProduct(0);
@@ -562,7 +562,7 @@ function Search2(keyCodeForEnter) {
 			}
 		});
 	}
-	
+
 }
 
 function Edit(number) {