diff --git a/htdocs/admin/bom.php b/htdocs/admin/bom.php
index a35aef780d2..57b4b5aad06 100644
--- a/htdocs/admin/bom.php
+++ b/htdocs/admin/bom.php
@@ -51,10 +51,10 @@ $type = 'bom';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstbom = GETPOST('maskconstBom', 'alpha');
+	$maskconstbom = GETPOST('maskconstBom', 'aZ09');
 	$maskbom = GETPOST('maskBom', 'alpha');
 
-	if ($maskconstbom) {
+	if ($maskconstbom && preg_match('/_MASK$/', $maskconstbom)) {
 		$res = dolibarr_set_const($db, $maskconstbom, $maskbom, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/chequereceipts.php b/htdocs/admin/chequereceipts.php
index ed05180ef24..77994debadb 100644
--- a/htdocs/admin/chequereceipts.php
+++ b/htdocs/admin/chequereceipts.php
@@ -54,9 +54,9 @@ if (empty($conf->global->CHEQUERECEIPTS_ADDON)) {
  */
 
 if ($action == 'updateMask') {
-	$maskconstchequereceipts = GETPOST('maskconstchequereceipts', 'alpha');
+	$maskconstchequereceipts = GETPOST('maskconstchequereceipts', 'aZ09');
 	$maskchequereceipts = GETPOST('maskchequereceipts', 'alpha');
-	if ($maskconstchequereceipts) {
+	if ($maskconstchequereceipts && preg_match('/_MASK$/', $maskconstchequereceipts)) {
 		$res = dolibarr_set_const($db, $maskconstchequereceipts, $maskchequereceipts, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php
index 34a5e281fac..79c42f6e2db 100644
--- a/htdocs/admin/commande.php
+++ b/htdocs/admin/commande.php
@@ -61,10 +61,10 @@ $type = 'order';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstorder', 'alpha');
+	$maskconstorder = GETPOST('maskconstorder', 'aZ09');
 	$maskorder = GETPOST('maskorder', 'alpha');
 
-	if ($maskconstorder) {
+	if ($maskconstorder && preg_match('/_MASK$/', $maskconstorder)) {
 		$res = dolibarr_set_const($db, $maskconstorder, $maskorder, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php
index 48247bf0b8e..c5a4d1a3463 100644
--- a/htdocs/admin/contract.php
+++ b/htdocs/admin/contract.php
@@ -58,9 +58,9 @@ include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 $error=0;
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconstcontract', 'alpha');
+	$maskconst = GETPOST('maskconstcontract', 'aZ09');
 	$maskvalue = GETPOST('maskcontract', 'alpha');
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/delivery.php b/htdocs/admin/delivery.php
index a1fef4091ce..9094762f68d 100644
--- a/htdocs/admin/delivery.php
+++ b/htdocs/admin/delivery.php
@@ -90,9 +90,9 @@ if ($action == 'activate_delivery') {
 }
 
 if ($action == 'updateMask') {
-	$maskconstdelivery = GETPOST('maskconstdelivery', 'alpha');
+	$maskconstdelivery = GETPOST('maskconstdelivery', 'aZ09');
 	$maskdelivery = GETPOST('maskdelivery', 'alpha');
-	if ($maskconstdelivery) {
+	if ($maskconstdelivery && preg_match('/_MASK$/', $maskconstdelivery)) {
 		$res = dolibarr_set_const($db, $maskconstdelivery, $maskdelivery, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/eventorganization.php b/htdocs/admin/eventorganization.php
index cc9b8d7bca8..31df0ffe142 100644
--- a/htdocs/admin/eventorganization.php
+++ b/htdocs/admin/eventorganization.php
@@ -88,10 +88,10 @@ if ((float) DOL_VERSION >= 6) {
 }
 
 if ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstorder', 'alpha');
+	$maskconstorder = GETPOST('maskconstorder', 'aZ09');
 	$maskorder = GETPOST('maskorder', 'alpha');
 
-	if ($maskconstorder) {
+	if ($maskconstorder && preg_match('/_MASK$/', $maskconstorder)) {
 		$res = dolibarr_set_const($db, $maskconstorder, $maskorder, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php
index 485ce901e5c..1db6a9cc9d6 100644
--- a/htdocs/admin/expedition.php
+++ b/htdocs/admin/expedition.php
@@ -62,9 +62,9 @@ if (empty($conf->global->EXPEDITION_ADDON_NUMBER)) {
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconstexpedition', 'alpha');
+	$maskconst = GETPOST('maskconstexpedition', 'aZ09');
 	$maskvalue = GETPOST('maskexpedition', 'alpha');
-	if (!empty($maskconst)) {
+	if (!empty($maskconst) && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/expensereport.php b/htdocs/admin/expensereport.php
index 8c20b493105..25bef9fde22 100644
--- a/htdocs/admin/expensereport.php
+++ b/htdocs/admin/expensereport.php
@@ -58,9 +58,9 @@ $type = 'expensereport';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconst', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskvalue = GETPOST('maskvalue', 'alpha');
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php
index 10746c794be..a715004529e 100644
--- a/htdocs/admin/facture.php
+++ b/htdocs/admin/facture.php
@@ -58,24 +58,24 @@ $type = 'invoice';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstinvoice = GETPOST('maskconstinvoice', 'alpha');
-	$maskconstreplacement = GETPOST('maskconstreplacement', 'alpha');
-	$maskconstcredit = GETPOST('maskconstcredit', 'alpha');
-	$maskconstdeposit = GETPOST('maskconstdeposit', 'alpha');
+	$maskconstinvoice = GETPOST('maskconstinvoice', 'aZ09');
+	$maskconstreplacement = GETPOST('maskconstreplacement', 'aZ09');
+	$maskconstcredit = GETPOST('maskconstcredit', 'aZ09');
+	$maskconstdeposit = GETPOST('maskconstdeposit', 'aZ09');
 	$maskinvoice = GETPOST('maskinvoice', 'alpha');
 	$maskreplacement = GETPOST('maskreplacement', 'alpha');
 	$maskcredit = GETPOST('maskcredit', 'alpha');
 	$maskdeposit = GETPOST('maskdeposit', 'alpha');
-	if ($maskconstinvoice) {
+	if ($maskconstinvoice && preg_match('/_MASK_/', $maskconstinvoice)) {
 		$res = dolibarr_set_const($db, $maskconstinvoice, $maskinvoice, 'chaine', 0, '', $conf->entity);
 	}
-	if ($maskconstreplacement) {
+	if ($maskconstreplacement && preg_match('/_MASK_/', $maskconstreplacement)) {
 		$res = dolibarr_set_const($db, $maskconstreplacement, $maskreplacement, 'chaine', 0, '', $conf->entity);
 	}
-	if ($maskconstcredit) {
+	if ($maskconstcredit && preg_match('/_MASK_/', $maskconstcredit)) {
 		$res = dolibarr_set_const($db, $maskconstcredit, $maskcredit, 'chaine', 0, '', $conf->entity);
 	}
-	if ($maskconstdeposit) {
+	if ($maskconstdeposit && preg_match('/_MASK_/', $maskconstdeposit)) {
 		$res = dolibarr_set_const($db, $maskconstdeposit, $maskdeposit, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php
index cf637d37329..2e331b3cc80 100644
--- a/htdocs/admin/fichinter.php
+++ b/htdocs/admin/fichinter.php
@@ -58,9 +58,9 @@ $type = 'ficheinter';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconst', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskvalue = GETPOST('maskvalue', 'alpha');
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/holiday.php b/htdocs/admin/holiday.php
index 9a60c6b9b84..b85e257c69e 100644
--- a/htdocs/admin/holiday.php
+++ b/htdocs/admin/holiday.php
@@ -58,9 +58,9 @@ if (empty($conf->global->HOLIDAY_ADDON)) {
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconstholiday', 'alpha');
+	$maskconst = GETPOST('maskconstholiday', 'aZ09');
 	$maskvalue = GETPOST('maskholiday', 'alpha');
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/hrm.php b/htdocs/admin/hrm.php
index 08ece979e21..81968a945f1 100644
--- a/htdocs/admin/hrm.php
+++ b/htdocs/admin/hrm.php
@@ -91,10 +91,10 @@ if ($action == 'update') {
 		}
 	}
 } elseif ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstorder', 'alpha');
+	$maskconstorder = GETPOST('maskconstorder', 'aZ09');
 	$maskorder = GETPOST('maskorder', 'alpha');
 
-	if ($maskconstorder) {
+	if ($maskconstorder && preg_match('/_MASK$/', $maskconstorder)) {
 		$res = dolibarr_set_const($db, $maskconstorder, $maskorder, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
diff --git a/htdocs/admin/knowledgemanagement.php b/htdocs/admin/knowledgemanagement.php
index b1710a53839..e93128a6a0c 100644
--- a/htdocs/admin/knowledgemanagement.php
+++ b/htdocs/admin/knowledgemanagement.php
@@ -69,11 +69,11 @@ if (!$user->admin) {
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstorder', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskorder = GETPOST('maskorder', 'alpha');
 
-	if ($maskconstorder) {
-		$res = dolibarr_set_const($db, $maskconstorder, $maskorder, 'chaine', 0, '', $conf->entity);
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
+		$res = dolibarr_set_const($db, $maskconst, $maskorder, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
 		}
diff --git a/htdocs/admin/mrp.php b/htdocs/admin/mrp.php
index 36a82e965f4..21fff1c45e6 100644
--- a/htdocs/admin/mrp.php
+++ b/htdocs/admin/mrp.php
@@ -52,10 +52,10 @@ $type = 'mrp';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstmrp = GETPOST('maskconstMo', 'alpha');
+	$maskconstmrp = GETPOST('maskconstMo', 'aZ09');
 	$maskmrp = GETPOST('maskMo', 'alpha');
 
-	if ($maskconstmrp) {
+	if ($maskconstmrp && preg_match('/_MASK$/', $maskconstmrp)) {
 		$res = dolibarr_set_const($db, $maskconstmrp, $maskmrp, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/payment.php b/htdocs/admin/payment.php
index 59da712b266..7b0d0acbf06 100644
--- a/htdocs/admin/payment.php
+++ b/htdocs/admin/payment.php
@@ -51,9 +51,9 @@ if (empty($conf->global->PAYMENT_ADDON)) {
  */
 
 if ($action == 'updateMask') {
-	$maskconstpayment = GETPOST('maskconstpayment', 'alpha');
+	$maskconstpayment = GETPOST('maskconstpayment', 'aZ09');
 	$maskpayment = GETPOST('maskpayment', 'alpha');
-	if ($maskconstpayment) {
+	if ($maskconstpayment && preg_match('/_MASK$/', $maskconstpayment)) {
 		$res = dolibarr_set_const($db, $maskconstpayment, $maskpayment, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/propal.php b/htdocs/admin/propal.php
index 7883cc7da20..10044e33b5b 100644
--- a/htdocs/admin/propal.php
+++ b/htdocs/admin/propal.php
@@ -58,9 +58,9 @@ include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 $error = 0;
 if ($action == 'updateMask') {
-	$maskconstpropal = GETPOST('maskconstpropal', 'alpha');
+	$maskconstpropal = GETPOST('maskconstpropal', 'aZ09');
 	$maskpropal = GETPOST('maskpropal', 'alpha');
-	if ($maskconstpropal) {
+	if ($maskconstpropal && preg_match('/_MASK$/', $maskconstpropal)) {
 		$res = dolibarr_set_const($db, $maskconstpropal, $maskpropal, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/reception_setup.php b/htdocs/admin/reception_setup.php
index c86db66e464..32f6c5b226e 100644
--- a/htdocs/admin/reception_setup.php
+++ b/htdocs/admin/reception_setup.php
@@ -65,9 +65,9 @@ if (empty($conf->global->RECEPTION_ADDON_NUMBER)) {
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconstreception', 'alpha');
+	$maskconst = GETPOST('maskconstreception', 'aZ09');
 	$maskvalue = GETPOST('maskreception', 'alpha');
-	if (!empty($maskconst)) {
+	if (!empty($maskconst) && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/stocktransfer.php b/htdocs/admin/stocktransfer.php
index 3bcd00c1fe8..02c73bb2a76 100644
--- a/htdocs/admin/stocktransfer.php
+++ b/htdocs/admin/stocktransfer.php
@@ -64,10 +64,10 @@ include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 
 if ($action == 'updateMask') {
-	$maskconststocktransfer = GETPOST('maskconststocktransfer', 'alpha');
+	$maskconststocktransfer = GETPOST('maskconststocktransfer', 'aZ09');
 	$maskstocktransfer = GETPOST('maskStockTransfer', 'alpha');
 
-	if ($maskconststocktransfer) {
+	if ($maskconststocktransfer && preg_match('/_MASK$/', $maskconststocktransfer)) {
 		$res = dolibarr_set_const($db, $maskconststocktransfer, $maskstocktransfer, 'chaine', 0, '', $conf->entity);
 		if ($res <= 0) $error++;
 	}
diff --git a/htdocs/admin/supplier_invoice.php b/htdocs/admin/supplier_invoice.php
index 3524111c96e..7b1831e759d 100644
--- a/htdocs/admin/supplier_invoice.php
+++ b/htdocs/admin/supplier_invoice.php
@@ -38,10 +38,6 @@ require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.facture.class.php';
 // Load translation files required by the page
 $langs->loadLangs(array("admin", "other", "orders"));
 
-if (!$user->admin) {
-	accessforbidden();
-}
-
 $type = GETPOST('type', 'alpha');
 $value = GETPOST('value', 'alpha');
 $action = GETPOST('action', 'aZ09');
@@ -52,26 +48,32 @@ $scandir = GETPOST('scan_dir', 'alpha');
 $specimenthirdparty = new Societe($db);
 $specimenthirdparty->initAsSpecimen();
 
+$error = 0;
+
+if (!$user->admin) {
+	accessforbidden();
+}
+
 
 /*
  * Actions
  */
 
 if ($action == 'updateMask') {
-	$maskconstinvoice = GETPOST('maskconstinvoice', 'alpha');
-	$maskconstcredit = GETPOST('maskconstcredit', 'alpha');
-	$maskconstdeposit = GETPOST('maskconstdeposit', 'alpha');
+	$maskconstinvoice = GETPOST('maskconstinvoice', 'aZ09');
+	$maskconstcredit = GETPOST('maskconstcredit', 'aZ09');
+	$maskconstdeposit = GETPOST('maskconstdeposit', 'aZ09');
 	$maskinvoice = GETPOST('maskinvoice', 'alpha');
 	$maskcredit = GETPOST('maskcredit', 'alpha');
 	$maskdeposit = GETPOST('maskdeposit', 'alpha');
 
-	if ($maskconstinvoice) {
+	if ($maskconstinvoice && preg_match('/_MASK$/', $maskconstinvoice)) {
 		$res = dolibarr_set_const($db, $maskconstinvoice, $maskinvoice, 'chaine', 0, '', $conf->entity);
 	}
-	if ($maskconstcredit) {
+	if ($maskconstcredit && preg_match('/_MASK$/', $maskconstcredit)) {
 		$res = dolibarr_set_const($db, $maskconstcredit, $maskcredit, 'chaine', 0, '', $conf->entity);
 	}
-	if ($maskconstdeposit) {
+	if ($maskconstdeposit && preg_match('/_MASK$/', $maskconstdeposit)) {
 		$res = dolibarr_set_const($db, $maskconstdeposit, $maskdeposit, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/supplier_order.php b/htdocs/admin/supplier_order.php
index bb1b94d4385..abee8200cef 100644
--- a/htdocs/admin/supplier_order.php
+++ b/htdocs/admin/supplier_order.php
@@ -61,10 +61,10 @@ $specimenthirdparty->initAsSpecimen();
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstorder', 'alpha');
+	$maskconstorder = GETPOST('maskconstorder', 'aZ09');
 	$maskvalue = GETPOST('maskorder', 'alpha');
 
-	if ($maskconstorder) {
+	if ($maskconstorder && preg_match('/_MASK$/', $maskconstorder)) {
 		$res = dolibarr_set_const($db, $maskconstorder, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/supplier_payment.php b/htdocs/admin/supplier_payment.php
index 86fcccfb8f2..ac00e4846ac 100644
--- a/htdocs/admin/supplier_payment.php
+++ b/htdocs/admin/supplier_payment.php
@@ -52,9 +52,9 @@ $type = 'supplier_payment';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstsupplierpayment = GETPOST('maskconstsupplierpayment', 'alpha');
+	$maskconstsupplierpayment = GETPOST('maskconstsupplierpayment', 'aZ09');
 	$masksupplierpayment = GETPOST('masksupplierpayment', 'alpha');
-	if ($maskconstsupplierpayment) {
+	if ($maskconstsupplierpayment && preg_match('/_MASK$/', $maskconstsupplierpayment)) {
 		$res = dolibarr_set_const($db, $maskconstsupplierpayment, $masksupplierpayment, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/supplier_proposal.php b/htdocs/admin/supplier_proposal.php
index 993e19fc796..62be111449d 100644
--- a/htdocs/admin/supplier_proposal.php
+++ b/htdocs/admin/supplier_proposal.php
@@ -55,9 +55,9 @@ $error = 0;
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstsupplier_proposal = GETPOST('maskconstsupplier_proposal', 'alpha');
+	$maskconstsupplier_proposal = GETPOST('maskconstsupplier_proposal', 'aZ09');
 	$masksupplier_proposal = GETPOST('masksupplier_proposal', 'alpha');
-	if ($maskconstsupplier_proposal) {
+	if ($maskconstsupplier_proposal && preg_match('/_MASK$/', $maskconstsupplier_proposal)) {
 		$res = dolibarr_set_const($db, $maskconstsupplier_proposal, $masksupplier_proposal, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/admin/ticket.php b/htdocs/admin/ticket.php
index 9cebbc3b36d..6a6201642ee 100644
--- a/htdocs/admin/ticket.php
+++ b/htdocs/admin/ticket.php
@@ -47,7 +47,7 @@ $scandir = GETPOST('scandir', 'alpha');
 $type = 'ticket';
 
 $error = 0;
-
+$reg = array();
 
 /*
  * Actions
@@ -56,10 +56,10 @@ $error = 0;
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstticket = GETPOST('maskconstticket', 'alpha');
+	$maskconstticket = GETPOST('maskconstticket', 'aZ09');
 	$maskticket = GETPOST('maskticket', 'alpha');
 
-	if ($maskconstticket) {
+	if ($maskconstticket && preg_match('/_MASK$/', $maskconstticket)) {
 		$res = dolibarr_set_const($db, $maskconstticket, $maskticket, 'chaine', 0, '', $conf->entity);
 	}
 
@@ -484,7 +484,7 @@ foreach ($dirmodels as $reldir) {
 								// Preview
 								print '<td class="center">';
 								if ($module->type == 'pdf') {
-									print '<a href="'.$_SERVER["PHP_SELF"].'?action=specimen&module='.$name.'">'.img_object($langs->trans("Preview"), 'pdf').'</a>';
+									print '<a href="'.$_SERVER["PHP_SELF"].'?action=specimen&module='.urlencode($name).'">'.img_object($langs->trans("Preview"), 'pdf').'</a>';
 								} else {
 									print img_object($langs->trans("PreviewNotAvailable"), 'generic');
 								}
@@ -526,7 +526,7 @@ if ($conf->use_javascript_ajax) {
 	print ajax_constantonoff('TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND');
 } else {
 	$arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes"));
-	print $formcategory->selectarray("TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND", $arrval, $conf->global->TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND);
+	print $formcategory->selectarray("TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND", $arrval, getDolGlobalString('TICKET_AUTO_READ_WHEN_CREATED_FROM_BACKEND'));
 }
 print '</td>';
 print '<td class="center">';
@@ -542,7 +542,7 @@ if ($conf->use_javascript_ajax) {
 	print ajax_constantonoff('TICKET_AUTO_ASSIGN_USER_CREATE');
 } else {
 	$arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes"));
-	print $formcategory->selectarray("TICKET_AUTO_ASSIGN_USER_CREATE", $arrval, $conf->global->TICKET_AUTO_ASSIGN_USER_CREATE);
+	print $formcategory->selectarray("TICKET_AUTO_ASSIGN_USER_CREATE", $arrval, getDolGlobalString('TICKET_AUTO_ASSIGN_USER_CREATE'));
 }
 print '</td>';
 print '<td class="center">';
@@ -557,7 +557,7 @@ if ($conf->use_javascript_ajax) {
 	print ajax_constantonoff('TICKET_NOTIFY_AT_CLOSING');
 } else {
 	$arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes"));
-	print $formcategory->selectarray("TICKET_NOTIFY_AT_CLOSING", $arrval, $conf->global->TICKET_NOTIFY_AT_CLOSING);
+	print $formcategory->selectarray("TICKET_NOTIFY_AT_CLOSING", $arrval, getDolGlobalString('TICKET_NOTIFY_AT_CLOSING'));
 }
 print '</td>';
 print '<td class="center">';
@@ -569,7 +569,7 @@ if (isModEnabled('product')) {
 	$htmlname = "product_category_id";
 	print '<tr class="oddeven"><td>'.$langs->trans("TicketChooseProductCategory").'</td>';
 	print '<td class="left">';
-	$formcategory->selectProductCategory($conf->global->TICKET_PRODUCT_CATEGORY, $htmlname);
+	$formcategory->selectProductCategory(getDolGlobalString('TICKET_PRODUCT_CATEGORY'), $htmlname);
 	if ($conf->use_javascript_ajax) {
 		print ajax_combobox('select_'.$htmlname);
 	}
@@ -583,7 +583,7 @@ if (isModEnabled('product')) {
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("TicketsDelayBeforeFirstAnswer")."</td>";
 print '<td class="left">
-	<input type="number" value="'.$conf->global->TICKET_DELAY_BEFORE_FIRST_RESPONSE.'" name="delay_first_response" class="width50">
+	<input type="number" value="'.getDolGlobalString('TICKET_DELAY_BEFORE_FIRST_RESPONSE').'" name="delay_first_response" class="width50">
 	</td>';
 print '<td class="center">';
 print $formcategory->textwithpicto('', $langs->trans("TicketsDelayBeforeFirstAnswerHelp"), 1, 'help');
@@ -593,7 +593,7 @@ print '</tr>';
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("TicketsDelayBetweenAnswers")."</td>";
 print '<td class="left">
-	<input type="number" value="'.$conf->global->TICKET_DELAY_SINCE_LAST_RESPONSE.'" name="delay_between_responses" class="width50">
+	<input type="number" value="'.getDolGlobalString('TICKET_DELAY_SINCE_LAST_RESPONSE').'" name="delay_between_responses" class="width50">
 	</td>';
 print '<td class="center">';
 print $formcategory->textwithpicto('', $langs->trans("TicketsDelayBetweenAnswersHelp"), 1, 'help');
diff --git a/htdocs/admin/webhook.php b/htdocs/admin/webhook.php
index b589eac4079..1267b84e5e4 100644
--- a/htdocs/admin/webhook.php
+++ b/htdocs/admin/webhook.php
@@ -150,10 +150,10 @@ $dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']);
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconst', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskvalue = GETPOST('maskvalue', 'alpha');
 
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
diff --git a/htdocs/admin/workstation.php b/htdocs/admin/workstation.php
index bdd7ba662cd..314e6d13a91 100644
--- a/htdocs/admin/workstation.php
+++ b/htdocs/admin/workstation.php
@@ -63,11 +63,11 @@ if (!$user->admin) {
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstWorkstation', 'alpha');
+	$maskconst = GETPOST('maskconstWorkstation', 'aZ09');
 	$maskorder = GETPOST('maskWorkstation', 'alpha');
 
-	if ($maskconstorder) {
-		$res = dolibarr_set_const($db, $maskconstorder, $maskorder, 'chaine', 0, '', $conf->entity);
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
+		$res = dolibarr_set_const($db, $maskconst, $maskorder, 'chaine', 0, '', $conf->entity);
 	}
 
 	if (!($res > 0)) {
diff --git a/htdocs/asset/admin/setup.php b/htdocs/asset/admin/setup.php
index 67448b0e304..8bc52174b29 100644
--- a/htdocs/asset/admin/setup.php
+++ b/htdocs/asset/admin/setup.php
@@ -73,10 +73,10 @@ if ((float) DOL_VERSION >= 6) {
 }
 
 if ($action == 'updateMask') {
-	$maskconstorder = GETPOST('maskconstorder', 'alpha');
+	$maskconstorder = GETPOST('maskconstorder', 'aZ09');
 	$maskorder = GETPOST('maskorder', 'alpha');
 
-	if ($maskconstorder) {
+	if ($maskconstorder && preg_match('/_MASK$/', $maskconstorder)) {
 		$res = dolibarr_set_const($db, $maskconstorder, $maskorder, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
diff --git a/htdocs/bookcal/admin/setup.php b/htdocs/bookcal/admin/setup.php
index c4fd74404eb..1f76f9c819b 100644
--- a/htdocs/bookcal/admin/setup.php
+++ b/htdocs/bookcal/admin/setup.php
@@ -178,10 +178,10 @@ if ( versioncompare(explode('.', DOL_VERSION), array(15)) < 0 && $action == 'upd
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconst', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskvalue = GETPOST('maskvalue', 'alpha');
 
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
diff --git a/htdocs/core/modules/asset/mod_asset_advanced.php b/htdocs/core/modules/asset/mod_asset_advanced.php
index 34780c3423f..db1e55f7f83 100644
--- a/htdocs/core/modules/asset/mod_asset_advanced.php
+++ b/htdocs/core/modules/asset/mod_asset_advanced.php
@@ -67,7 +67,7 @@ class mod_asset_advanced extends ModeleNumRefAsset
 		$texte .= '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
 		$texte .= '<input type="hidden" name="token" value="'.newToken().'">';
 		$texte .= '<input type="hidden" name="action" value="updateMask">';
-		$texte .= '<input type="hidden" name="maskconstBom" value="ASSET_ASSET_ADVANCED_MASK">';
+		$texte .= '<input type="hidden" name="maskconst" value="ASSET_ASSET_ADVANCED_MASK">';
 		$texte .= '<table class="nobordernopadding" width="100%">';
 
 		$tooltip = $langs->trans("GenericMaskCodes", $langs->transnoentities("Asset"), $langs->transnoentities("Asset"));
diff --git a/htdocs/core/modules/ticket/doc/doc_generic_ticket_odt.modules.php b/htdocs/core/modules/ticket/doc/doc_generic_ticket_odt.modules.php
index 1a2d1e537cc..84a5a9f423b 100644
--- a/htdocs/core/modules/ticket/doc/doc_generic_ticket_odt.modules.php
+++ b/htdocs/core/modules/ticket/doc/doc_generic_ticket_odt.modules.php
@@ -122,7 +122,7 @@ class doc_generic_ticket_odt extends ModelePDFTicket
 		// List of directories area
 		$texte .= '<tr><td>';
 		$texttitle = $langs->trans("ListOfDirectories");
-		$listofdir = explode(',', preg_replace('/[\r\n]+/', ',', trim($conf->global->TICKET_ADDON_PDF_ODT_PATH)));
+		$listofdir = explode(',', preg_replace('/[\r\n]+/', ',', trim(getDolGlobalString('TICKET_ADDON_PDF_ODT_PATH'))));
 		$listoffiles = array();
 		foreach ($listofdir as $key => $tmpdir) {
 			$tmpdir = trim($tmpdir);
@@ -148,7 +148,7 @@ class doc_generic_ticket_odt extends ModelePDFTicket
 		$texte .= $form->textwithpicto($texttitle, $texthelp, 1, 'help', '', 1);
 		$texte .= '<div><div style="display: inline-block; min-width: 100px; vertical-align: middle;">';
 		$texte .= '<textarea class="flat" cols="60" name="value1">';
-		$texte .= $conf->global->TICKET_ADDON_PDF_ODT_PATH;
+		$texte .= getDolGlobalString('TICKET_ADDON_PDF_ODT_PATH');
 		$texte .= '</textarea>';
 		$texte .= '</div><div style="display: inline-block; vertical-align: middle;">';
 		$texte .= '<input type="submit" class="button small reposition" name="modify" value="'.$langs->trans("Modify").'">';
diff --git a/htdocs/knowledgemanagement/core/modules/knowledgemanagement/mod_knowledgerecord_advanced.php b/htdocs/knowledgemanagement/core/modules/knowledgemanagement/mod_knowledgerecord_advanced.php
index ba0cf9818dc..b05519dd692 100644
--- a/htdocs/knowledgemanagement/core/modules/knowledgemanagement/mod_knowledgerecord_advanced.php
+++ b/htdocs/knowledgemanagement/core/modules/knowledgemanagement/mod_knowledgerecord_advanced.php
@@ -68,7 +68,7 @@ class mod_knowledgerecord_advanced extends ModeleNumRefKnowledgeRecord
 		$texte .= '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
 		$texte .= '<input type="hidden" name="token" value="'.newToken().'">';
 		$texte .= '<input type="hidden" name="action" value="updateMask">';
-		$texte .= '<input type="hidden" name="maskconstBom" value="KNOWLEDGEMANAGEMENT_KNOWLEDGERECORD_ADVANCED_MASK">';
+		$texte .= '<input type="hidden" name="maskconst" value="KNOWLEDGEMANAGEMENT_KNOWLEDGERECORD_ADVANCED_MASK">';
 		$texte .= '<table class="nobordernopadding" width="100%">';
 
 		$tooltip = $langs->trans("GenericMaskCodes", $langs->transnoentities("KnowledgeRecord"), $langs->transnoentities("KnowledgeRecord"));
diff --git a/htdocs/modulebuilder/template/admin/setup.php b/htdocs/modulebuilder/template/admin/setup.php
index e2108405160..7b7376d22c7 100644
--- a/htdocs/modulebuilder/template/admin/setup.php
+++ b/htdocs/modulebuilder/template/admin/setup.php
@@ -181,10 +181,10 @@ if ( versioncompare(explode('.', DOL_VERSION), array(15)) < 0 && $action == 'upd
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconst', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskvalue = GETPOST('maskvalue', 'alpha');
 
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 		if (!($res > 0)) {
 			$error++;
diff --git a/htdocs/partnership/core/modules/partnership/mod_partnership_advanced.php b/htdocs/partnership/core/modules/partnership/mod_partnership_advanced.php
index 676de032659..8a86340d212 100644
--- a/htdocs/partnership/core/modules/partnership/mod_partnership_advanced.php
+++ b/htdocs/partnership/core/modules/partnership/mod_partnership_advanced.php
@@ -68,7 +68,7 @@ class mod_partnership_advanced extends ModeleNumRefPartnership
 		$texte .= '<form action="'.$_SERVER["PHP_SELF"].'" method="POST">';
 		$texte .= '<input type="hidden" name="token" value="'.newToken().'">';
 		$texte .= '<input type="hidden" name="action" value="updateMask">';
-		$texte .= '<input type="hidden" name="maskconstBom" value="PARTNERSHIP_ADVANCED_MASK">';
+		$texte .= '<input type="hidden" name="maskconst" value="PARTNERSHIP_ADVANCED_MASK">';
 		$texte .= '<table class="nobordernopadding" width="100%">';
 
 		$tooltip = $langs->trans("GenericMaskCodes", $langs->transnoentities("Partnership"), $langs->transnoentities("Partnership"));
diff --git a/htdocs/product/admin/product_lot.php b/htdocs/product/admin/product_lot.php
index 8f46412871a..19b2b32eac6 100644
--- a/htdocs/product/admin/product_lot.php
+++ b/htdocs/product/admin/product_lot.php
@@ -47,10 +47,10 @@ $error = 0;
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMaskLot') {
-	$maskconstbatch = GETPOST('maskconstLot', 'alpha');
+	$maskconstbatch = GETPOST('maskconstLot', 'aZ09');
 	$maskbatch = GETPOST('maskLot', 'alpha');
 
-	if ($maskconstbatch) {
+	if ($maskconstbatch && preg_match('/_MASK$/', $maskconstbatch)) {
 		$res = dolibarr_set_const($db, $maskconstbatch, $maskbatch, 'chaine', 0, '', $conf->entity);
 		if ($res <= 0) $error++;
 	}
@@ -61,10 +61,10 @@ if ($action == 'updateMaskLot') {
 		setEventMessages($langs->trans("Error"), null, 'errors');
 	}
 } elseif ($action == 'updateMaskSN') {
-	$maskconstbatch = GETPOST('maskconstSN', 'alpha');
+	$maskconstbatch = GETPOST('maskconstSN', 'aZ09');
 	$maskbatch = GETPOST('maskSN', 'alpha');
 
-	if ($maskconstbatch) {
+	if ($maskconstbatch && preg_match('/_MASK$/', $maskconstbatch)) {
 		$res = dolibarr_set_const($db, $maskconstbatch, $maskbatch, 'chaine', 0, '', $conf->entity);
 		if ($res <= 0) $error++;
 	}
diff --git a/htdocs/projet/admin/project.php b/htdocs/projet/admin/project.php
index 37eb33d9206..20a4f01bc82 100644
--- a/htdocs/projet/admin/project.php
+++ b/htdocs/projet/admin/project.php
@@ -55,10 +55,10 @@ $type = 'project';
 include DOL_DOCUMENT_ROOT.'/core/actions_setmoduleoptions.inc.php';
 
 if ($action == 'updateMask') {
-	$maskconstproject = GETPOST('maskconstproject', 'alpha');
+	$maskconstproject = GETPOST('maskconstproject', 'aZ09');
 	$maskproject = GETPOST('maskproject', 'alpha');
 
-	if ($maskconstproject) {
+	if ($maskconstproject && preg_match('/_MASK$/', $maskconstproject)) {
 		$res = dolibarr_set_const($db, $maskconstproject, $maskproject, 'chaine', 0, '', $conf->entity);
 	}
 
@@ -74,10 +74,10 @@ if ($action == 'updateMask') {
 }
 
 if ($action == 'updateMaskTask') {
-	$maskconstmasktask = GETPOST('maskconsttask', 'alpha');
+	$maskconstmasktask = GETPOST('maskconsttask', 'aZ09');
 	$masktaskt = GETPOST('masktask', 'alpha');
 
-	if ($maskconstmasktask) {
+	if ($maskconstmasktask && preg_match('/_MASK$/', $maskconstmasktask)) {
 		$res = dolibarr_set_const($db, $maskconstmasktask, $masktaskt, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/recruitment/admin/setup.php b/htdocs/recruitment/admin/setup.php
index 120c476de90..c06561f4b2e 100644
--- a/htdocs/recruitment/admin/setup.php
+++ b/htdocs/recruitment/admin/setup.php
@@ -92,10 +92,10 @@ if ((float) DOL_VERSION >= 6) {
 }
 
 if ($action == 'updateMask') {
-	$maskconstjob = GETPOST('maskconstjob', 'alpha');
+	$maskconstjob = GETPOST('maskconstjob', 'aZ09');
 	$maskjob = GETPOST('maskjob', 'alpha');
 
-	if ($maskconstjob) {
+	if ($maskconstjob && preg_match('/_MASK$/', $maskconstjob)) {
 		$res = dolibarr_set_const($db, $maskconstjob, $maskjob, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/recruitment/admin/setup_candidatures.php b/htdocs/recruitment/admin/setup_candidatures.php
index b53fff4213a..723c98b6f83 100644
--- a/htdocs/recruitment/admin/setup_candidatures.php
+++ b/htdocs/recruitment/admin/setup_candidatures.php
@@ -92,10 +92,10 @@ if ((float) DOL_VERSION >= 6) {
 }
 
 if ($action == 'updateMask') {
-	$maskconstcand = GETPOST('maskconstcand', 'alpha');
+	$maskconstcand = GETPOST('maskconstcand', 'aZ09');
 	$maskcand = GETPOST('maskcand', 'alpha');
 
-	if ($maskconstcand) {
+	if ($maskconstcand && preg_match('/_MASK$/', $maskconstcand)) {
 		$res = dolibarr_set_const($db, $maskconstcand, $maskcand, 'chaine', 0, '', $conf->entity);
 	}
 
diff --git a/htdocs/takepos/admin/setup.php b/htdocs/takepos/admin/setup.php
index 38cd6d1275d..a175fa3c6c3 100644
--- a/htdocs/takepos/admin/setup.php
+++ b/htdocs/takepos/admin/setup.php
@@ -100,9 +100,9 @@ if ($action == 'set') {
 		$db->rollback();
 	}
 } elseif ($action == 'updateMask') {
-	$maskconst = GETPOST('maskconst', 'alpha');
+	$maskconst = GETPOST('maskconst', 'aZ09');
 	$maskvalue = GETPOST('maskvalue', 'alpha');
-	if ($maskconst) {
+	if ($maskconst && preg_match('/_MASK$/', $maskconst)) {
 		$res = dolibarr_set_const($db, $maskconst, $maskvalue, 'chaine', 0, '', $conf->entity);
 	}
 	if (!($res > 0)) {