diff --git a/classes/Validate.php b/classes/Validate.php
index bce881555..d59a63fa0 100644
--- a/classes/Validate.php
+++ b/classes/Validate.php
@@ -399,10 +399,10 @@ class ValidateCore
 		$events .= '|onoffline|ononline|onpaste|onpropertychange|onreadystatechange|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onsearch|onselectionchange';
 		$events .= '|onselectstart|onstart|onstop';
 
-		if (preg_match('/<[ \t\n]*script/ims', $html) || preg_match('/('.$events.')[ \t\n]*=/ims', $html) || preg_match('/.*script\:/ims', $html))
+		if (preg_match('/<[\s]*script/ims', $html) || preg_match('/('.$events.')[\s]*=/ims', $html) || preg_match('/.*script\:/ims', $html))
 			return false;
 
-		if (!$allow_iframe && preg_match('/<[ \t\n]*(i?frame|form|input|embed|object)/ims', $html))
+		if (!$allow_iframe && preg_match('/<[\s]*(i?frame|form|input|embed|object)/ims', $html))
 			return false;
 
 		return true;
diff --git a/classes/controller/AdminController.php b/classes/controller/AdminController.php
index 48edd744d..96f068280 100644
--- a/classes/controller/AdminController.php
+++ b/classes/controller/AdminController.php
@@ -387,7 +387,7 @@ class AdminControllerCore extends Controller
 			$filter = '';
 			foreach ($this->fields_list AS $field => $t)
 			{
-				if ($val = Tools::getValue($this->table.'Filter_'.$field))
+				if ($val = htmlspecialchars(Tools::getValue($this->table.'Filter_'.$field), ENT_QUOTES, 'UTF-8'))
 				{
 					if(!is_array($val) && !empty($val))
 						$filter .= ($filter ?  ', ' : $this->l(' filter by ')).$t['title'].' : ';
diff --git a/themes/default/order-detail.tpl b/themes/default/order-detail.tpl
index b1a0144c7..d7fb91517 100644
--- a/themes/default/order-detail.tpl
+++ b/themes/default/order-detail.tpl
@@ -310,6 +310,21 @@
 		</tbody>
 	</table>
 </div>
+	{if $return_allowed}
+	<div id="returnOrderMessage">
+		<h3>{l s='Merchandise return'}</h3>
+		<p>{l s='If you wish to return one or more products, please mark the corresponding boxes and provide an explanation for the return. When complete, click the button below.'}</p>
+		<p class="textarea">
+			<textarea cols="67" rows="3" name="returnText"></textarea>
+		</p>
+		<p class="submit">
+			<input type="submit" value="{l s='Make an RMA slip'}" name="submitReturnMerchandise" class="button_large" />
+			<input type="hidden" class="hidden" value="{$order->id|intval}" name="id_order" />
+		</p>
+	</div>
+	<br />
+	{/if}
+	</form>
 <div class="table_block">
 {if $order->getShipping()|count > 0}
 	<table class="std">
@@ -340,22 +355,6 @@
 </div>
 <br />
 {if !$is_guest}
-	{if $return_allowed}
-	<div id="returnOrderMessage">
-		<h3>{l s='Merchandise return'}</h3>
-		<p>{l s='If you wish to return one or more products, please mark the corresponding boxes and provide an explanation for the return. When complete, click the button below.'}</p>
-		<p class="textarea">
-			<textarea cols="67" rows="3" name="returnText"></textarea>
-		</p>
-		<p class="submit">
-			<input type="submit" value="{l s='Make an RMA slip'}" name="submitReturnMerchandise" class="button_large" />
-			<input type="hidden" class="hidden" value="{$order->id|intval}" name="id_order" />
-		</p>
-	</div>
-	<br />
-	{/if}
-	</form>
-
 	{if count($messages)}
 	<h3>{l s='Messages'}</h3>
 	<div class="table_block">