diff --git a/ecrire/exec/info_plugin.php b/ecrire/exec/info_plugin.php
index 77943b6a17..8043b908c8 100644
--- a/ecrire/exec/info_plugin.php
+++ b/ecrire/exec/info_plugin.php
@@ -25,7 +25,7 @@ function exec_info_plugin_dist() {
 		include_spip('inc/minipres');
 		echo minipres();
 	} else {
-		$plug = _DIR_RACINE . _request('plugin');
+		$plug = _DIR_RACINE . htmlspecialchars(_request('plugin'));
 		$get_infos = charger_fonction('get_infos', 'plugins');
 		$dir = "";
 		if (strncmp($plug, _DIR_PLUGINS, strlen(_DIR_PLUGINS)) == 0) {
diff --git a/ecrire/exec/puce_statut.php b/ecrire/exec/puce_statut.php
index 3b27e32fba..d29aa4591d 100644
--- a/ecrire/exec/puce_statut.php
+++ b/ecrire/exec/puce_statut.php
@@ -52,13 +52,13 @@ function exec_puce_statut_dist() {
  * @return string Code HTML
  **/
 function exec_puce_statut_args($id, $type) {
+	$id = intval($id);
 	if ($table_objet_sql = table_objet_sql($type)
 		and $d = lister_tables_objets_sql($table_objet_sql)
 		and isset($d['statut_textes_instituer'])
 		and $d['statut_textes_instituer']
 	) {
 		$prim = id_table_objet($type);
-		$id = intval($id);
 		if (isset($d['field']['id_rubrique'])) {
 			$select = "id_rubrique,statut";
 		} else {
@@ -68,7 +68,7 @@ function exec_puce_statut_args($id, $type) {
 		$statut = $r['statut'];
 		$id_rubrique = $r['id_rubrique'];
 	} else {
-		$id_rubrique = intval($id);
+		$id_rubrique = $id;
 		$statut = 'prop'; // arbitraire
 	}
 	$puce_statut = charger_fonction('puce_statut', 'inc');