diff --git a/ecrire/exec/documenter.php b/ecrire/exec/documenter.php
index 6b6bc124c3988b2db93f0123e14b54b3be97cf19..f5000abccd8e04fbed8a3df98123637f7fc10447 100644
--- a/ecrire/exec/documenter.php
+++ b/ecrire/exec/documenter.php
@@ -15,23 +15,25 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
 // http://doc.spip.org/@exec_documenter_dist
 function exec_documenter_dist()
 {
-	$type = _request("type");
-	$script = _request("script"); // generalisation a tester
+	$script = _request('script'); // generalisation a tester
+	$iframe = _request('iframe');
+	$album = _request('s');
+	$type = _request('type');
 	$id = intval(_request(id_table_objet($type)));
-	exec_documenter_args($id, $type, $script, _request('s'));
+	exec_documenter_args($id, $type, $script, $album, $iframe);
 }
 
 // http://doc.spip.org/@exec_documenter_args
-function exec_documenter_args($id, $type, $script, $album='')
+function exec_documenter_args($id, $type, $script, $album='', $iframe=false)
 {
-	if (!$id OR !autoriser('modifier', $type, $id)) {
+	if (!$id OR !autoriser('modifier', $type, $id) OR !preg_match('/^\w*$/', $script)) {
 		include_spip('inc/minipres');
 		echo minipres();
 	} else {
 		$album = !$album ? 'documents' :  'portfolio';
 		include_spip('inc/actions');
 		$documenter = charger_fonction('documenter', 'inc');
-		if(_request("iframe")=="iframe") { 
+		if ($iframe==='iframe') { 
 			$res = $documenter($id, $type, "portfolio", 'ajax', '', $script).
 			  $documenter($id, $type, "documents", 'ajax', '', $script);
 			ajax_retour("<div class='upload_answer upload_document_added'>".$res."</div>",false);