diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php
index 118ab6ededf..5527a7dd7f3 100644
--- a/htdocs/comm/action/card.php
+++ b/htdocs/comm/action/card.php
@@ -1789,7 +1789,7 @@ if ($id > 0)
 
 		// Description
 		print '<tr><td class="tdtop">'.$langs->trans("Description").'</td><td colspan="3">';
-		print dol_htmlentitiesbr($object->note);
+		print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
 		print '</td></tr>';
 
         // Other attributes
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index 750fbc59135..2289d280139 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -337,7 +337,7 @@ abstract class CommonObject
 
 	/**
 	 * @deprecated
-	 * @see $note_public
+	 * @see $note_private
 	 */
 	public $note;
 
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index cba66729d8c..7188be03507 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -298,9 +298,13 @@ class Form
 						$firstline = preg_replace('/[\n\r].*/', '', $firstline);
 						$tmpcontent = $firstline.((strlen($firstline) != strlen($tmpcontent)) ? '...' : '');
 					}
-					$ret .= $tmpcontent;
+					// We dont use dol_escape_htmltag to get the html formating active, but this need we must also
+					// clean data from some dangerous html
+					$ret .= dol_string_onlythesehtmltags(dol_htmlentitiesbr($tmpcontent));
+				}
+				else {
+					$ret .= dol_escape_htmltag($value);
 				}
-				else $ret .= dol_escape_htmltag($value);
 
 				if ($formatfunc && method_exists($object, $formatfunc))
 				{
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index b05cc41ea5d..681fc28f92a 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -5559,22 +5559,27 @@ function dol_string_nohtmltag($stringtoclean, $removelinefeed = 1, $pagecodeto =
 /**
  *	Clean a string to keep only desirable HTML tags.
  *
- *	@param	string	$stringtoclean		String to clean
- *	@return string	    				String cleaned
+ *	@param	string	$stringtoclean			String to clean
+ *  @param	string	$cleanalsosomestyles	Clean also some tags
+ *	@return string	    					String cleaned
  *
  * 	@see	dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_neverthesehtmltags()
  */
-function dol_string_onlythesehtmltags($stringtoclean)
+function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1)
 {
 	$allowed_tags = array(
-		"html", "head", "meta", "body", "article", "a", "b", "br", "div", "em", "font", "img", "ins", "hr", "i", "li", "link",
+		"html", "head", "meta", "body", "article", "a", "b", "br", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link",
 		"ol", "p", "s", "section", "span", "strong", "title",
 		"table", "tr", "th", "td", "u", "ul"
 	);
-
 	$allowed_tags_string = join("><", $allowed_tags);
 	$allowed_tags_string = preg_replace('/^>/', '', $allowed_tags_string);
 	$allowed_tags_string = preg_replace('/<$/', '', $allowed_tags_string);
+	$allowed_tags_string = '<'.$allowed_tags_string.'>';
+
+	if ($cleanalsosomestyles) {
+		$stringtoclean = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $stringtoclean);	// Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
+	}
 
 	$temp = strip_tags($stringtoclean, $allowed_tags_string);
 
@@ -5583,14 +5588,16 @@ function dol_string_onlythesehtmltags($stringtoclean)
 
 /**
  *	Clean a string from some undesirable HTML tags.
+ *  Note. Not enough secured as dol_string_onlythesehtmltags().
  *
- *	@param	string	$stringtoclean		String to clean
- *  @param	array	$disallowed_tags	Array of tags not allowed
- *	@return string	    				String cleaned
+ *	@param	string	$stringtoclean			String to clean
+ *  @param	array	$disallowed_tags		Array of tags not allowed
+ *  @param	string	$cleanalsosomestyles	Clean also some tags
+ *	@return string	    					String cleaned
  *
  * 	@see	dol_escape_htmltag() strip_tags() dol_string_nohtmltag() dol_string_onlythesehtmltags()
  */
-function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'))
+function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array('textarea'), $cleanalsosomestyles = 0)
 {
 	$temp = $stringtoclean;
 	foreach ($disallowed_tags as $tagtoremove)
@@ -5598,6 +5605,11 @@ function dol_string_neverthesehtmltags($stringtoclean, $disallowed_tags = array(
 		$temp = preg_replace('/<\/?'.$tagtoremove.'>/', '', $temp);
 		$temp = preg_replace('/<\/?'.$tagtoremove.'\s+[^>]*>/', '', $temp);
 	}
+
+	if ($cleanalsosomestyles) {
+		$temp = preg_replace('/position\s*:\s*(absolute|fixed)\s*!\s*important/', '', $temp);	// Note: If hacker try to introduce css comment into string to avoid this, string should be encoded by the dol_htmlentitiesbr so be harmless
+	}
+
 	return $temp;
 }
 
diff --git a/htdocs/core/tpl/notes.tpl.php b/htdocs/core/tpl/notes.tpl.php
index 7663af1c48e..e19d28ce793 100644
--- a/htdocs/core/tpl/notes.tpl.php
+++ b/htdocs/core/tpl/notes.tpl.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2012      Regis Houssin       <regis.houssin@inodbox.com>
  * Copyright (C) 2013      Florian Henry	   <florian.henry@open-concept.pro>
- * Copyright (C) 2014-2017 Laurent Destailleur <eldy@destailleur.fr>
+ * Copyright (C) 2014-2020 Laurent Destailleur <eldy@destailleur.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -78,20 +78,21 @@ print '<div class="tagtable border table-border tableforfield centpercent">'."\n
 if ($module != 'product') {
 	// No public note yet on products
 	print '<div class="tagtr table-border-row">'."\n";
-	print '<div class="tagtd tagtdnote tdtop table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
+	print '<div class="tagtd tagtdnote tdtop sensiblehtmlcontent table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
 	print $form->editfieldkey("NotePublic", $note_public, $value_public, $object, $permission, $typeofdata, $moreparam, '', 0);
 	print '</div>'."\n";
-	print '<div class="tagtd table-val-border-col">'."\n";
+	print '<div class="tagtd table-val-border-col sensiblehtmlcontent">'."\n";
 	print $form->editfieldval("NotePublic", $note_public, $value_public, $object, $permission, $typeofdata, '', null, null, $moreparam, 1)."\n";
 	print '</div>'."\n";
 	print '</div>'."\n";
 }
 if (empty($user->socid)) {
+	// Private notes (always hidden to external users)
 	print '<div class="tagtr table-border-row">'."\n";
-	print '<div class="tagtd tagtdnote tdtop table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
+	print '<div class="tagtd tagtdnote tdtop sensiblehtmlcontent table-key-border-col'.(empty($cssclass)?'':' '.$cssclass).'"'.($colwidth ? ' style="width: '.$colwidth.'%"' : '').'>'."\n";
 	print $form->editfieldkey("NotePrivate", $note_private, $value_private, $object, $permission, $typeofdata, $moreparam, '', 0);
 	print '</div>'."\n";
-	print '<div class="tagtd table-val-border-col">'."\n";
+	print '<div class="tagtd table-val-border-col sensiblehtmlcontent">'."\n";
 	print $form->editfieldval("NotePrivate", $note_private, $value_private, $object, $permission, $typeofdata, '', null, null, $moreparam, 1);
 	print '</div>'."\n";
 	print '</div>'."\n";
diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index c6386ba7ea2..670734e6706 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -23,6 +23,10 @@ body {
     <?php print 'direction: '.$langs->trans("DIRECTION").";\n"; ?>
 }
 
+.sensiblehtmlcontent * {
+	position: static !important;
+}
+
 .thumbstat { font-weight: bold !important; }
 th a { font-weight: <?php echo ($useboldtitle ? 'bold' : 'normal'); ?> !important; }
 a.tab { font-weight: 500 !important; }
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index 2f76ee382e9..0293513109d 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -247,6 +247,10 @@ body {
     <?php print 'direction: '.$langs->trans("DIRECTION").";\n"; ?>
 }
 
+.sensiblehtmlcontent * {
+	position: static !important;
+}
+
 .thumbstat { font-weight: bold !important; }
 th a { font-weight: <?php echo ($useboldtitle ? 'bold' : 'normal'); ?> !important; }
 a.tab { font-weight: 500 !important; }
diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php
index cd8607a764b..19c52b6fa7f 100644
--- a/htdocs/user/group/card.php
+++ b/htdocs/user/group/card.php
@@ -386,7 +386,9 @@ else
 
 			// Note
 			print '<tr><td class="titlefield tdtop">'.$langs->trans("Description").'</td>';
-			print '<td class="valeur">'.dol_htmlentitiesbr($object->note).'&nbsp;</td>';
+			print '<td class="valeur sensiblehtmlcontent"">';
+			print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
+			print '</td>';
 			print "</tr>\n";
 
 			// Other attributes
diff --git a/htdocs/user/group/ldap.php b/htdocs/user/group/ldap.php
index 448f38aea50..eca923f68be 100644
--- a/htdocs/user/group/ldap.php
+++ b/htdocs/user/group/ldap.php
@@ -126,7 +126,9 @@ if (! empty($conf->mutlicompany->enabled))
 
 // Note
 print '<tr><td class="tdtop">'.$langs->trans("Description").'</td>';
-print '<td class="valeur">'.dol_htmlentitiesbr($object->note).'</td>';
+print '<td class="valeur sensiblehtmlcontent">';
+print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
+print '</td>';
 print "</tr>\n";
 
 // LDAP DN
diff --git a/htdocs/user/group/perms.php b/htdocs/user/group/perms.php
index 39dc2e61f9f..576cbebff8d 100644
--- a/htdocs/user/group/perms.php
+++ b/htdocs/user/group/perms.php
@@ -212,7 +212,9 @@ if ($object->id > 0)
 
     // Note
     print '<tr><td class="titlefield tdtop">'.$langs->trans("Description").'</td>';
-    print '<td class="valeur">'.dol_htmlentitiesbr($object->note).'</td>';
+    print '<td class="valeur sensiblehtmlcontent">';
+    print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note));
+    print '</td>';
     print "</tr>\n";
 
     print '</table><br>';
diff --git a/htdocs/user/note.php b/htdocs/user/note.php
index cdf6f65b9a1..dc2f11b96fa 100644
--- a/htdocs/user/note.php
+++ b/htdocs/user/note.php
@@ -111,19 +111,19 @@ if ($id)
 
 	// Note
     print '<tr><td class="tdtop">'.$langs->trans("Note").'</td>';
-	print '<td>';
+	print '<td class="sensiblehtmlcontent">';
 	if ($action == 'edit' && $user->rights->user->user->creer)
 	{
 		print "<input type=\"hidden\" name=\"action\" value=\"update\">";
 		print "<input type=\"hidden\" name=\"id\" value=\"".$object->id."\">";
 	    // Editeur wysiwyg
 		require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
-		$doleditor=new DolEditor('note_private', $object->note, '', 280, 'dolibarr_notes', 'In', true, false, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_8, '90%');
+		$doleditor=new DolEditor('note_private', $object->note_private, '', 280, 'dolibarr_notes', 'In', true, false, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_8, '90%');
 		$doleditor->Create();
 	}
 	else
 	{
-		print dol_htmlentitiesbr($object->note);
+		print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private));
 	}
 	print "</td></tr>";