diff --git a/ecrire/inc/texte.php b/ecrire/inc/texte.php
index 6090a10d683515f529b061a2af6a896dc9586c7e..cdaef69dece37046191a52c1f851c2ee3449bded 100644
--- a/ecrire/inc/texte.php
+++ b/ecrire/inc/texte.php
@@ -270,7 +270,10 @@ function typo($letexte, $echapper = true, $connect = null, $env = array()) {
 
 	// Dans l'espace prive on se mefie de tout contenu dangereux
 	// https://core.spip.net/issues/3371
-	if (isset($env['espace_prive']) and $env['espace_prive']) {
+	// et aussi dans l'espace public si la globale filtrer_javascript = -1
+	// https://core.spip.net/issues/4166
+	if ($GLOBALS['filtrer_javascript'] == -1
+	  or (isset($env['espace_prive']) and $env['espace_prive'] and $GLOBALS['filtrer_javascript']<=0)) {
 		$letexte = echapper_html_suspect($letexte);
 	}
 
@@ -423,6 +426,17 @@ function propre($t, $connect = null, $env = array()) {
 		return strval($t);
 	}
 
+	// Dans l'espace prive on se mefie de tout contenu dangereux
+	// avant echappement des balises <html>
+	// https://core.spip.net/issues/3371
+	// et aussi dans l'espace public si la globale filtrer_javascript = -1
+	// https://core.spip.net/issues/4166
+	if ($interdire_script
+		or $GLOBALS['filtrer_javascript'] == -1
+		or (isset($env['espace_prive']) and $env['espace_prive'] and $GLOBALS['filtrer_javascript']<=0)
+		or (isset($env['wysiwyg']) and $env['wysiwyg'] and $GLOBALS['filtrer_javascript']<=0)) {
+		$t = echapper_html_suspect($t, false);
+	}
 	$t = echappe_html($t);
 	$t = expanser_liens($t, $connect, $env);
 	$t = traiter_raccourcis($t);
diff --git a/ecrire/inc/texte_mini.php b/ecrire/inc/texte_mini.php
index 3c9609c28f123c6cdd55aca01a2d61037d538cb9..2544d9826c42deed0fc4c879c3f6d4bf1bb94528 100644
--- a/ecrire/inc/texte_mini.php
+++ b/ecrire/inc/texte_mini.php
@@ -473,7 +473,7 @@ function echapper_html_suspect($texte, $strict=true) {
 		if (!function_exists('attribut_html')) {
 			include_spip('inc/filtres');
 		}
-		$texte = "<mark title='".attribut_html(_T('erreur_contenu_suspect'))."'>âš ï¸</mark> ".$texte;
+		$texte = "<mark class='danger-js' title='".attribut_html(_T('erreur_contenu_suspect'))."'>âš ï¸</mark> ".$texte;
 	}
 
 	return $texte;