From 8aaec8acb6dd868d2351337667cc9de7a4d92214 Mon Sep 17 00:00:00 2001
From: Thierry Bugier <tbugier@teclib.com>
Date: Fri, 16 Jun 2023 15:21:22 +0200
Subject: [PATCH] fix(selectfield,multiselectfield): fix possible encoding
 problem

---
 inc/field/multiselectfield.class.php          |   5 +-
 inc/formanswer.class.php                      |   2 +-
 install/install.php                           |   1 +
 .../mysql/plugin_formcreator_2.13.7_empty.sql | 352 ++++++++++++++++++
 install/upgrade_to_2.13.7.php                 |  86 +++++
 setup.php                                     |   4 +-
 6 files changed, 446 insertions(+), 4 deletions(-)
 create mode 100644 install/mysql/plugin_formcreator_2.13.7_empty.sql
 create mode 100644 install/upgrade_to_2.13.7.php

diff --git a/inc/field/multiselectfield.class.php b/inc/field/multiselectfield.class.php
index ce59a0979..4923d05e0 100644
--- a/inc/field/multiselectfield.class.php
+++ b/inc/field/multiselectfield.class.php
@@ -34,6 +34,7 @@
 
 use Dropdown;
 use Html;
+use Glpi\Toolbox\Sanitizer;
 
 class MultiSelectField extends CheckboxesField
 {
@@ -55,8 +56,10 @@ public function getRenderedHtml($domain, $canEdit = true): string {
       $fieldName = 'formcreator_field_' . $id;
       $values    = $this->getAvailableValues();
       $translatedValues = [];
+
       foreach ($values as $key => $value) {
-         $translatedValues[$key] = __($value, $domain);
+         $unsanitized = Sanitizer::unsanitize(__($value, $domain));
+         $translatedValues[$key] = $unsanitized;
       }
       if (!empty($values)) {
          $html .= Dropdown::showFromArray($fieldName, $translatedValues, [
diff --git a/inc/formanswer.class.php b/inc/formanswer.class.php
index a5ff1f575..92f5aab61 100644
--- a/inc/formanswer.class.php
+++ b/inc/formanswer.class.php
@@ -1423,7 +1423,7 @@ protected function validateFormAnswer($input): bool {
                   );
                }
 
-              $this->isAnswersValid = false;
+               $this->isAnswersValid = false;
             }
          }
       }
diff --git a/install/install.php b/install/install.php
index f4e9bb8ca..47e245654 100644
--- a/install/install.php
+++ b/install/install.php
@@ -82,6 +82,7 @@ class PluginFormcreatorInstall {
       '2.13.3' => '2.13.4',
       '2.13.4' => '2.13.5',
       '2.13.5' => '2.13.6',
+      '2.13.6' => '2.13.7',
    ];
 
    protected bool $resyncIssues = false;
diff --git a/install/mysql/plugin_formcreator_2.13.7_empty.sql b/install/mysql/plugin_formcreator_2.13.7_empty.sql
new file mode 100644
index 000000000..6838b92fb
--- /dev/null
+++ b/install/mysql/plugin_formcreator_2.13.7_empty.sql
@@ -0,0 +1,352 @@
+-- Database schema
+-- Do NOT drop anything here
+
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_answers` (
+  `id` int unsigned NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_formanswers_id` int unsigned NOT NULL DEFAULT '0',
+  `plugin_formcreator_questions_id`   int unsigned NOT NULL DEFAULT '0',
+  `answer`                            longtext,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_formanswers_id` (`plugin_formcreator_formanswers_id`),
+  INDEX `plugin_formcreator_questions_id` (`plugin_formcreator_questions_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_categories` (
+  `id`                               int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                             varchar(255) NOT NULL DEFAULT '',
+  `comment`                          mediumtext,
+  `completename`                     varchar(255) DEFAULT NULL,
+  `plugin_formcreator_categories_id` int unsigned NOT NULL DEFAULT '0',
+  `level`                            int(11) NOT NULL DEFAULT '1',
+  `sons_cache`                       longtext,
+  `ancestors_cache`                  longtext,
+  `knowbaseitemcategories_id`        int unsigned NOT NULL DEFAULT '0',
+  PRIMARY KEY (`id`),
+  INDEX `name` (`name`),
+  INDEX `knowbaseitemcategories_id` (`knowbaseitemcategories_id`),
+  INDEX `plugin_formcreator_categories_id` (`plugin_formcreator_categories_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_entityconfigs` (
+  `id`                      int unsigned NOT NULL AUTO_INCREMENT,
+  `entities_id`             int unsigned NOT NULL DEFAULT '0',
+  `replace_helpdesk`        int(11) NOT NULL DEFAULT '-2',
+  `default_form_list_mode`  int(11) NOT NULL DEFAULT '-2',
+  `sort_order`              int(11) NOT NULL DEFAULT '-2',
+  `is_kb_separated`         int(11) NOT NULL DEFAULT '-2',
+  `is_search_visible`       int(11) NOT NULL DEFAULT '-2',
+  `is_dashboard_visible`    int(11) NOT NULL DEFAULT '-2',
+  `is_header_visible`       int(11) NOT NULL DEFAULT '-2',
+  `is_search_issue_visible` int(11) NOT NULL DEFAULT '-2',
+  `tile_design`             int(11) NOT NULL DEFAULT '-2',
+  `header`                  text,
+  `service_catalog_home`    int(11) NOT NULL DEFAULT '-2',
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `unicity` (`entities_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_forms` (
+  `id`                               int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                             varchar(255) NOT NULL DEFAULT '',
+  `entities_id`                      int unsigned NOT NULL DEFAULT '0',
+  `is_recursive`                     tinyint(1)   NOT NULL DEFAULT '0',
+  `icon`                             varchar(255) NOT NULL DEFAULT '',
+  `icon_color`                       varchar(255) NOT NULL DEFAULT '',
+  `background_color`                 varchar(255) NOT NULL DEFAULT '',
+  `access_rights`                    tinyint(1)   NOT NULL DEFAULT '1',
+  `description`                      varchar(255) DEFAULT NULL,
+  `content`                          longtext,
+  `plugin_formcreator_categories_id` int unsigned NOT NULL DEFAULT '0',
+  `is_active`                        tinyint(1)   NOT NULL DEFAULT '0',
+  `language`                         varchar(255) NOT NULL DEFAULT '',
+  `helpdesk_home`                    tinyint(1)   NOT NULL DEFAULT '0',
+  `is_deleted`                       tinyint(1)   NOT NULL DEFAULT '0',
+  `validation_required`              tinyint(1)   NOT NULL DEFAULT '0',
+  `usage_count`                      int(11)      NOT NULL DEFAULT '0',
+  `is_default`                       tinyint(1)   NOT NULL DEFAULT '0',
+  `is_captcha_enabled`               tinyint(1)   NOT NULL DEFAULT '0',
+  `show_rule`                        int(11)      NOT NULL DEFAULT '1' COMMENT 'Conditions setting to show the submit button',
+  `formanswer_name`                  varchar(255) NOT NULL DEFAULT '',
+  `is_visible`                       tinyint      NOT NULL DEFAULT 1,
+  `uuid`                             varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `entities_id` (`entities_id`),
+  INDEX `plugin_formcreator_categories_id` (`plugin_formcreator_categories_id`),
+  FULLTEXT KEY `Search` (`name`,`description`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_formanswers` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                        varchar(255) NOT NULL DEFAULT '',
+  `entities_id`                 int unsigned NOT NULL DEFAULT '0',
+  `is_recursive`                tinyint(1)   NOT NULL DEFAULT '0',
+  `plugin_formcreator_forms_id` int unsigned NOT NULL DEFAULT '0',
+  `requester_id`                int unsigned NOT NULL DEFAULT '0',
+  `users_id_validator`          int unsigned NOT NULL DEFAULT '0' COMMENT 'User in charge of validation',
+  `groups_id_validator`         int unsigned NOT NULL DEFAULT '0' COMMENT 'Group in charge of validation',
+  `request_date`                timestamp    NULL,
+  `status`                      int(11)      NOT NULL DEFAULT '101',
+  `comment`                     mediumtext,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_forms_id` (`plugin_formcreator_forms_id`),
+  INDEX `entities_id_is_recursive` (`entities_id`, `is_recursive`),
+  INDEX `requester_id` (`requester_id`),
+  INDEX `users_id_validator` (`users_id_validator`),
+  INDEX `groups_id_validator` (`groups_id_validator`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_forms_profiles` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_forms_id` int unsigned NOT NULL DEFAULT '0',
+  `profiles_id`                 int unsigned NOT NULL DEFAULT '0',
+  `uuid`                        varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `unicity` (`plugin_formcreator_forms_id`,`profiles_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_forms_users` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_forms_id` int unsigned NOT NULL,
+  `users_id`                    int unsigned NOT NULL,
+  `uuid`                        varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `unicity` (`plugin_formcreator_forms_id`,`users_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_forms_groups` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_forms_id` int unsigned NOT NULL,
+  `groups_id`                   int unsigned NOT NULL,
+  `uuid`                        varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `unicity` (`plugin_formcreator_forms_id`,`groups_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_forms_validators` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_forms_id` int unsigned NOT NULL DEFAULT '0',
+  `itemtype`                    varchar(255) NOT NULL DEFAULT '',
+  `items_id`                    int unsigned NOT NULL DEFAULT '0',
+  `uuid`                        varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `unicity` (`plugin_formcreator_forms_id`,`itemtype`,`items_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_questions` (
+  `id`                             int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                           varchar(255) NOT NULL DEFAULT '',
+  `plugin_formcreator_sections_id` int unsigned NOT NULL DEFAULT '0',
+  `fieldtype`                      varchar(30)  NOT NULL DEFAULT 'text',
+  `required`                       tinyint(1)   NOT NULL DEFAULT '0',
+  `show_empty`                     tinyint(1)   NOT NULL DEFAULT '0',
+  `default_values`                 mediumtext,
+  `itemtype`                       varchar(255) NOT NULL DEFAULT '' COMMENT 'itemtype used for glpi objects and dropdown question types',
+  `values`                         mediumtext,
+  `description`                    mediumtext,
+  `row`                            int(11)      NOT NULL DEFAULT '0',
+  `col`                            int(11)      NOT NULL DEFAULT '0',
+  `width`                          int(11)      NOT NULL DEFAULT '0',
+  `show_rule`                      int(11)      NOT NULL DEFAULT '1',
+  `uuid`                           varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_sections_id` (`plugin_formcreator_sections_id`),
+  FULLTEXT KEY `Search` (`name`,`description`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_conditions` (
+	`id`                              int unsigned NOT NULL AUTO_INCREMENT,
+	`itemtype`                        varchar(255) NOT NULL DEFAULT '' COMMENT 'itemtype of the item affected by the condition',
+	`items_id`                        int unsigned NOT NULL DEFAULT '0' COMMENT 'item ID of the item affected by the condition',
+	`plugin_formcreator_questions_id` int unsigned NOT NULL DEFAULT '0' COMMENT 'question to test for the condition',
+	`show_condition`                  int(11)      NOT NULL DEFAULT '0',
+	`show_value`                      mediumtext   NULL DEFAULT NULL,
+	`show_logic`                      int(11)      NOT NULL DEFAULT '1',
+	`order`                           int(11)      NOT NULL DEFAULT '1',
+	`uuid`                            varchar(255) NULL DEFAULT NULL,
+	PRIMARY KEY (`id`),
+	INDEX `plugin_formcreator_questions_id` (`plugin_formcreator_questions_id`),
+  INDEX `item` (`itemtype`, `items_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_sections` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                        varchar(255) NOT NULL DEFAULT '',
+  `plugin_formcreator_forms_id` int unsigned NOT NULL DEFAULT '0',
+  `order`                       int(11)      NOT NULL DEFAULT '0',
+  `show_rule`                   int(11)      NOT NULL DEFAULT '1',
+  `uuid`                        varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_forms_id` (`plugin_formcreator_forms_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_targetchanges` (
+  `id`                             int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                           varchar(255) NOT NULL DEFAULT '',
+  `plugin_formcreator_forms_id`    int unsigned NOT NULL DEFAULT '0',
+  `target_name`                    varchar(255) NOT NULL DEFAULT '',
+  `changetemplates_id`             int unsigned NOT NULL DEFAULT '0',
+  `content`                        longtext,
+  `impactcontent`                  longtext,
+  `controlistcontent`              longtext,
+  `rolloutplancontent`             longtext,
+  `backoutplancontent`             longtext,
+  `checklistcontent`               longtext,
+  `due_date_rule`                  int(11) NOT NULL DEFAULT '1',
+  `due_date_question`              int unsigned NOT NULL DEFAULT '0',
+  `due_date_value`                 tinyint(4) DEFAULT NULL,
+  `due_date_period`                int(11) NOT NULL DEFAULT '0',
+  `urgency_rule`                   int(11) NOT NULL DEFAULT '1',
+  `urgency_question`               int unsigned NOT NULL DEFAULT '0',
+  `validation_followup`            tinyint(1) NOT NULL DEFAULT '1',
+  `destination_entity`             int(11) NOT NULL DEFAULT '1',
+  `destination_entity_value`       int unsigned NOT NULL DEFAULT '0',
+  `tag_type`                       int(11) NOT NULL DEFAULT '1',
+  `tag_questions`                  varchar(255) NOT NULL DEFAULT '',
+  `tag_specifics`                  varchar(255) NOT NULL DEFAULT '',
+  `category_rule`                  int(11) NOT NULL DEFAULT '1',
+  `category_question`              int unsigned NOT NULL DEFAULT '0',
+  `commonitil_validation_rule`     int(11) NOT NULL DEFAULT '1',
+  `commonitil_validation_question` varchar(255) DEFAULT NULL,
+  `show_rule`                      int(11) NOT NULL DEFAULT '1',
+  `sla_rule`                       int(11) NOT NULL DEFAULT '1',
+  `sla_question_tto`               int unsigned NOT NULL DEFAULT '0',
+  `sla_question_ttr`               int unsigned NOT NULL DEFAULT '0',
+  `ola_rule`                       int(11) NOT NULL DEFAULT '1',
+  `ola_question_tto`               int unsigned NOT NULL DEFAULT '0',
+  `ola_question_ttr`               int unsigned NOT NULL DEFAULT '0',
+  `uuid`                           varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_targettickets` (
+  `id`                             int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                           varchar(255) NOT NULL DEFAULT '',
+  `plugin_formcreator_forms_id`    int unsigned NOT NULL DEFAULT '0',
+  `target_name`                    varchar(255) NOT NULL DEFAULT '',
+  `source_rule`                    int(11) NOT NULL DEFAULT '0',
+  `source_question`                int(11) NOT NULL DEFAULT '0',
+  `type_rule`                      int(11)      NOT NULL DEFAULT '0',
+  `type_question`                  int unsigned NOT NULL DEFAULT '0',
+  `tickettemplates_id`             int unsigned NOT NULL DEFAULT '0',
+  `content`                        longtext,
+  `due_date_rule`                  int(11)      NOT NULL DEFAULT '1',
+  `due_date_question`              int unsigned NOT NULL DEFAULT '0',
+  `due_date_value`                 tinyint(4)   DEFAULT NULL,
+  `due_date_period`                int(11)      NOT NULL DEFAULT '0',
+  `urgency_rule`                   int(11)      NOT NULL DEFAULT '1',
+  `urgency_question`               int unsigned NOT NULL DEFAULT '0',
+  `validation_followup`            tinyint(1)   NOT NULL DEFAULT '1',
+  `destination_entity`             int(11)      NOT NULL DEFAULT '1',
+  `destination_entity_value`       int unsigned NOT NULL DEFAULT '0',
+  `tag_type`                       int(11)      NOT NULL DEFAULT '1',
+  `tag_questions`                  varchar(255) NOT NULL DEFAULT '',
+  `tag_specifics`                  varchar(255) NOT NULL DEFAULT '',
+  `category_rule`                  int(11)      NOT NULL DEFAULT '1',
+  `category_question`              int unsigned NOT NULL DEFAULT '0',
+  `associate_rule`                 int(11)      NOT NULL DEFAULT '1',
+  `associate_question`             int unsigned NOT NULL DEFAULT '0',
+  `location_rule`                  int(11)      NOT NULL DEFAULT '1',
+  `location_question`              int unsigned NOT NULL DEFAULT '0',
+  `commonitil_validation_rule`     int(11)      NOT NULL DEFAULT '1',
+  `commonitil_validation_question` varchar(255) DEFAULT NULL,
+  `show_rule`                      int(11)      NOT NULL DEFAULT '1',
+  `sla_rule`                       int(11)      NOT NULL DEFAULT '1',
+  `sla_question_tto`               int unsigned NOT NULL DEFAULT '0',
+  `sla_question_ttr`               int unsigned NOT NULL DEFAULT '0',
+  `ola_rule`                       int(11)      NOT NULL DEFAULT '1',
+  `ola_question_tto`               int unsigned NOT NULL DEFAULT '0',
+  `ola_question_ttr`               int unsigned NOT NULL DEFAULT '0',
+  `uuid`                           varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `tickettemplates_id` (`tickettemplates_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_targetproblems` (
+  `id`                          int unsigned NOT NULL AUTO_INCREMENT,
+  `name`                        varchar(255) NOT NULL DEFAULT '',
+  `plugin_formcreator_forms_id` int unsigned NOT NULL DEFAULT '0',
+  `target_name`                 varchar(255) NOT NULL DEFAULT '',
+  `problemtemplates_id`         int unsigned NOT NULL DEFAULT '0',
+  `content`                     longtext,
+  `impactcontent`               longtext,
+  `causecontent`                longtext,
+  `symptomcontent`              longtext,
+  `urgency_rule`                int(11)      NOT NULL DEFAULT '1',
+  `urgency_question`            int unsigned NOT NULL DEFAULT '0',
+  `destination_entity`          int(11)      NOT NULL DEFAULT '1',
+  `destination_entity_value`    int unsigned NOT NULL DEFAULT '0',
+  `tag_type`                    int(11)      NOT NULL DEFAULT '1',
+  `tag_questions`               varchar(255) NOT NULL DEFAULT '',
+  `tag_specifics`               varchar(255) NOT NULL DEFAULT '',
+  `category_rule`               int(11)      NOT NULL DEFAULT '1',
+  `category_question`           int unsigned NOT NULL DEFAULT '0',
+  `show_rule`                   int(11)      NOT NULL DEFAULT '1',
+  `uuid`                        varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `problemtemplates_id` (`problemtemplates_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_targets_actors` (
+  `id`               int unsigned NOT NULL AUTO_INCREMENT,
+  `itemtype`         varchar(255) DEFAULT NULL,
+  `items_id`         int unsigned NOT NULL DEFAULT '0',
+  `actor_role`       int(11)      NOT NULL DEFAULT '1',
+  `actor_type`       int(11)      NOT NULL DEFAULT '1',
+  `actor_value`      int unsigned NOT NULL DEFAULT '0',
+  `use_notification` tinyint(1)   NOT NULL DEFAULT '1',
+  `uuid`             varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `item` (`itemtype`, `items_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_issues` (
+  `id`                    int unsigned  NOT NULL AUTO_INCREMENT,
+  `name`                  varchar(255)  NULL DEFAULT NULL,
+  `display_id`            varchar(255)  NOT NULL,
+  `items_id`              int unsigned  NOT NULL DEFAULT '0',
+  `itemtype`              varchar(255)  NOT NULL DEFAULT '',
+  `status`                varchar(255)  NOT NULL DEFAULT '',
+  `date_creation`         timestamp     NULL,
+  `date_mod`              timestamp     NULL,
+  `entities_id`           int unsigned  NOT NULL DEFAULT '0',
+  `is_recursive`          tinyint(1)    NOT NULL DEFAULT '0',
+  `requester_id`          int unsigned  NOT NULL DEFAULT '0',
+  `comment`               longtext,
+  `users_id_recipient`    int unsigned  NOT NULL DEFAULT '0',
+  PRIMARY KEY (`id`),
+  INDEX `item` (`itemtype`, `items_id`),
+  INDEX `entities_id` (`entities_id`),
+  INDEX `requester_id` (`requester_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_items_targettickets` (
+  `id`                                  int unsigned NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_targettickets_id` int unsigned NOT NULL DEFAULT '0',
+  `link`                                int(11)      NOT NULL DEFAULT '0',
+  `itemtype`                            varchar(255) NOT NULL DEFAULT '',
+  `items_id`                            int unsigned NOT NULL DEFAULT '0',
+  `uuid`                                varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_targettickets_id` (`plugin_formcreator_targettickets_id`),
+  INDEX `item` (`itemtype`,`items_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_questiondependencies` (
+  `id`                                int unsigned  NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_questions_id`   int unsigned  NOT NULL DEFAULT '0',
+  `plugin_formcreator_questions_id_2` int unsigned  NOT NULL DEFAULT '0',
+  `fieldname`                         varchar(255)  DEFAULT NULL,
+  `uuid`                              varchar(255)  DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_questions_id` (`plugin_formcreator_questions_id`),
+  INDEX `plugin_formcreator_questions_id_2` (`plugin_formcreator_questions_id_2`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_questionregexes` (
+  `id`                                int unsigned  NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_questions_id`   int unsigned  NOT NULL DEFAULT '0',
+  `regex`                             mediumtext    DEFAULT NULL,
+  `fieldname`                         varchar(255)  DEFAULT NULL,
+  `uuid`                              varchar(255)  DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_questions_id` (`plugin_formcreator_questions_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_questionranges` (
+  `id`                                int unsigned  NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_questions_id`   int unsigned  NOT NULL DEFAULT '0',
+  `range_min`                         varchar(255)  DEFAULT NULL,
+  `range_max`                         varchar(255)  DEFAULT NULL,
+  `fieldname`                         varchar(255)  DEFAULT NULL,
+  `uuid`                              varchar(255)  DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  INDEX `plugin_formcreator_questions_id` (`plugin_formcreator_questions_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+CREATE TABLE IF NOT EXISTS `glpi_plugin_formcreator_forms_languages` (
+  `id`                                int unsigned  NOT NULL AUTO_INCREMENT,
+  `plugin_formcreator_forms_id`       int unsigned  NOT NULL DEFAULT '0',
+  `name`                              varchar(255)  DEFAULT NULL,
+  `comment`                           text,
+  `uuid`                              varchar(255)  DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
\ No newline at end of file
diff --git a/install/upgrade_to_2.13.7.php b/install/upgrade_to_2.13.7.php
new file mode 100644
index 000000000..c1b99d387
--- /dev/null
+++ b/install/upgrade_to_2.13.7.php
@@ -0,0 +1,86 @@
+<?php
+/**
+ * ---------------------------------------------------------------------
+ * Formcreator is a plugin which allows creation of custom forms of
+ * easy access.
+ * ---------------------------------------------------------------------
+ * LICENSE
+ *
+ * This file is part of Formcreator.
+ *
+ * Formcreator is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Formcreator is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Formcreator. If not, see <http://www.gnu.org/licenses/>.
+ * ---------------------------------------------------------------------
+ * @copyright Copyright © 2011 - 2021 Teclib'
+ * @license   http://www.gnu.org/licenses/gpl.txt GPLv3+
+ * @link      https://github.com/pluginsGLPI/formcreator/
+ * @link      https://pluginsglpi.github.io/formcreator/
+ * @link      http://plugins.glpi-project.org/#/plugin/formcreator
+ * ---------------------------------------------------------------------
+ */
+
+use Glpi\Toolbox\Sanitizer;
+
+class PluginFormcreatorUpgradeTo2_13_7 {
+   /** @var Migration */
+   protected $migration;
+
+   public function isResyncIssuesRequired() {
+      return false;
+   }
+
+   /**
+    * @param Migration $migration
+    */
+   public function upgrade(Migration $migration) {
+      $this->migration = $migration;
+      $this->fixEncodingInQuestions();
+   }
+
+   /**
+    * Select and multiseiect questions pay contain RAW ampersand (&)
+    * it must be encoded, or select / multiselect fields will not validate answers
+    * containing this character
+    *
+    * @return void
+    */
+   public function fixEncodingInQuestions() {
+      global $DB;
+
+      $table = 'glpi_plugin_formcreator_questions';
+      $result = $DB->request([
+         'SELECT' => 'id',
+         'FROM' => $table,
+         'WHERE' => [
+            'fieldtype' => ['select', 'multiselect'],
+            'values' => ['REGEXP', $DB->escape('&(?!#38;)')],
+         ],
+      ]);
+
+      foreach ($result as $row) {
+         $values = json_decode($row['values']);
+         if (!is_array($values) || $values === null) {
+            continue;
+         }
+         foreach ($values as &$value) {
+            $value = Sanitizer::encodeHtmlSpecialChars($value);
+         }
+         $values = json_encode($values);
+         $DB->update(
+            $table,
+            ['values' => $values],
+            ['id' => $row['id']]
+         );
+      }
+   }
+}
diff --git a/setup.php b/setup.php
index a14ea3385..85d4ffc20 100644
--- a/setup.php
+++ b/setup.php
@@ -33,11 +33,11 @@
 
 global $CFG_GLPI;
 // Version of the plugin (major.minor.bugfix)
-define('PLUGIN_FORMCREATOR_VERSION', '2.13.6');
+define('PLUGIN_FORMCREATOR_VERSION', '2.13.7');
 // Schema version of this version (major.minor only)
 define('PLUGIN_FORMCREATOR_SCHEMA_VERSION', '2.13');
 // is or is not an official release of the plugin
-define('PLUGIN_FORMCREATOR_IS_OFFICIAL_RELEASE', true);
+define('PLUGIN_FORMCREATOR_IS_OFFICIAL_RELEASE', false);
 
 // Minimal GLPI version, inclusive
 define ('PLUGIN_FORMCREATOR_GLPI_MIN_VERSION', '10.0');