11 files changed, 79 insertions, 33 deletions
diff --git a/application/front/controller/admin/ConfigureController.php b/application/front/controller/admin/ConfigureController.php
index e675fcca..0ed7ad81 100644
--- a/application/front/controller/admin/ConfigureController.php
+++ b/application/front/controller/admin/ConfigureController.php
@@ -30,7 +30,7 @@ class ConfigureController extends ShaarliAdminController
            'theme_available',
            ThemeUtils::getThemes($this->container->conf->get('resource.raintpl_tpl'))
        );
-        $this->assignView('formatter_available', ['default', 'markdown']);
+        $this->assignView('formatter_available', ['default', 'markdown', 'markdownExtra']);
        list($continents, $cities) = generateTimeZoneData(
            timezone_identifiers_list(),
            $this->container->conf->get('general.timezone')
diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php
index 33e1188e..bb083486 100644
--- a/application/front/controller/admin/ManageShaareController.php
+++ b/application/front/controller/admin/ManageShaareController.php
@@ -69,7 +69,7 @@ class ManageShaareController extends ShaarliAdminController
                        $retrieveDescription
                    )
                );
-                if (! empty($title) && strtolower($charset) !== 'utf-8') {
+                if (! empty($title) && strtolower($charset) !== 'utf-8' && mb_check_encoding($charset)) {
                    $title = mb_convert_encoding($title, 'utf-8', $charset);
                }
            }
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController
                $title = $this->container->conf->get('general.default_note_title', t('Note: '));
            }
-            $link = escape([
+            $link = [
                'title' => $title,
                'url' => $url ?? '',
                'description' => $description ?? '',
                'tags' => $tags ?? '',
                'private' => $private,
-            ]);
+            ];
        } else {
            $formatter = $this->container->formatterFactory->getFormatter('raw');
            $link = $formatter->format($bookmark);
@@ -127,7 +127,7 @@ class ManageShaareController extends ShaarliAdminController
        $this->checkToken($request);
        // lf_id should only be present if the link exists.
-        $id = $request->getParam('lf_id') ? intval(escape($request->getParam('lf_id'))) : null;
+        $id = $request->getParam('lf_id') !== null ? intval(escape($request->getParam('lf_id'))) : null;
        if (null !== $id && true === $this->container->bookmarkService->exists($id)) {
            // Edit
            $bookmark = $this->container->bookmarkService->get($id);
@@ -169,7 +169,7 @@ class ManageShaareController extends ShaarliAdminController
        return $this->redirectFromReferer(
            $request,
            $response,
-            ['add-shaare', 'shaare'], ['addlink', 'post', 'edit_link'],
+            ['/admin/add-shaare', '/admin/shaare'], ['addlink', 'post', 'edit_link'],
            $bookmark->getShortUrl()
        );
    }
@@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController
            $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;
        }
-        $data = [
+        $data = escape([
            'link' => $link,
            'link_is_new' => $isNew,
-            'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''),
+            'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '',
            'source' => $request->getParam('source') ?? '',
            'tags' => $tags,
            'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),
-        ];
+        ]);
        $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);
diff --git a/application/front/controller/admin/ManageTagController.php b/application/front/controller/admin/ManageTagController.php
index 0380ef1f..2065c3e2 100644
--- a/application/front/controller/admin/ManageTagController.php
+++ b/application/front/controller/admin/ManageTagController.php
@@ -41,8 +41,8 @@ class ManageTagController extends ShaarliAdminController
        $isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag');
-        $fromTag = escape(trim($request->getParam('fromtag') ?? ''));
+        $fromTag = trim($request->getParam('fromtag') ?? '');
-        $toTag = escape(trim($request->getParam('totag') ?? ''));
+        $toTag = trim($request->getParam('totag') ?? '');
        if (0 === strlen($fromTag) || false === $isDelete && 0 === strlen($toTag)) {
            $this->saveWarningMessage(t('Invalid tags provided.'));
diff --git a/application/front/controller/admin/PluginsController.php b/application/front/controller/admin/PluginsController.php
index 0e09116e..8e059681 100644
--- a/application/front/controller/admin/PluginsController.php
+++ b/application/front/controller/admin/PluginsController.php
@@ -62,6 +62,7 @@ class PluginsController extends ShaarliAdminController
            if (isset($parameters['parameters_form'])) {
                unset($parameters['parameters_form']);
+                unset($parameters['token']);
                foreach ($parameters as $param => $value) {
                    $this->container->conf->set('plugins.'. $param, escape($value));
                }
diff --git a/application/front/controller/admin/ShaarliAdminController.php b/application/front/controller/admin/ShaarliAdminController.php
index 3b5939bb..c26c9cbe 100644
--- a/application/front/controller/admin/ShaarliAdminController.php
+++ b/application/front/controller/admin/ShaarliAdminController.php
@@ -4,9 +4,7 @@ declare(strict_types=1);
 namespace Shaarli\Front\Controller\Admin;
-use Shaarli\Container\ShaarliContainer;
 use Shaarli\Front\Controller\Visitor\ShaarliVisitorController;
-use Shaarli\Front\Exception\UnauthorizedException;
 use Shaarli\Front\Exception\WrongTokenException;
 use Shaarli\Security\SessionManager;
 use Slim\Http\Request;
diff --git a/application/front/controller/visitor/BookmarkListController.php b/application/front/controller/visitor/BookmarkListController.php
index 2988bee6..18368751 100644
--- a/application/front/controller/visitor/BookmarkListController.php
+++ b/application/front/controller/visitor/BookmarkListController.php
@@ -34,7 +34,7 @@ class BookmarkListController extends ShaarliVisitorController
        $formatter = $this->container->formatterFactory->getFormatter();
        $formatter->addContextData('base_path', $this->container->basePath);
-        $searchTags = escape(normalize_spaces($request->getParam('searchtags') ?? ''));
+        $searchTags = normalize_spaces($request->getParam('searchtags') ?? '');
        $searchTerm = escape(normalize_spaces($request->getParam('searchterm') ?? ''));;
        // Filter bookmarks according search parameters.
@@ -104,8 +104,9 @@ class BookmarkListController extends ShaarliVisitorController
                'page_current' => $page,
                'page_max' => $pageCount,
                'result_count' => count($linksToDisplay),
-                'search_term' => $searchTerm,
+                'search_term' => escape($searchTerm),
-                'search_tags' => $searchTags,
+                'search_tags' => escape($searchTags),
+                'search_tags_url' => array_map('urlencode', explode(' ', $searchTags)),
                'visibility' => $visibility,
                'links' => $linkDisp,
            ]
diff --git a/application/front/controller/visitor/DailyController.php b/application/front/controller/visitor/DailyController.php
index 54a4778f..07617cf1 100644
--- a/application/front/controller/visitor/DailyController.php
+++ b/application/front/controller/visitor/DailyController.php
@@ -132,7 +132,7 @@ class DailyController extends ShaarliVisitorController
                'date' => $dayDatetime,
                'date_rss' => $dayDatetime->format(DateTime::RSS),
                'date_human' => format_date($dayDatetime, false, true),
-                'absolute_url' => $indexUrl . '/daily?day=' . $day,
+                'absolute_url' => $indexUrl . 'daily?day=' . $day,
                'links' => [],
            ];
diff --git a/application/front/controller/visitor/ErrorNotFoundController.php b/application/front/controller/visitor/ErrorNotFoundController.php
new file mode 100644
index 00000000..758dd83b
--- /dev/null
+++ b/application/front/controller/visitor/ErrorNotFoundController.php
@@ -0,0 +1,29 @@
+<?php
+declare(strict_types=1);
+namespace Shaarli\Front\Controller\Visitor;
+use Slim\Http\Request;
+use Slim\Http\Response;
+/**
+ * Controller used to render the 404 error page.
+ */
+class ErrorNotFoundController extends ShaarliVisitorController
+{
+    public function __invoke(Request $request, Response $response): Response
+    {
+        // Request from the API
+        if (false !== strpos($request->getRequestTarget(), '/api/v1')) {
+            return $response->withStatus(404);
+        }
+        // This is required because the middleware is ignored if the route is not found.
+        $this->container->basePath = rtrim($request->getUri()->getBasePath(), '/');
+        $this->assignView('error_message', t('Requested page could not be found.'));
+        return $response->withStatus(404)->write($this->render('404'));
+    }
+}
diff --git a/application/front/controller/visitor/FeedController.php b/application/front/controller/visitor/FeedController.php
index da2848c2..8d8b546a 100644
--- a/application/front/controller/visitor/FeedController.php
+++ b/application/front/controller/visitor/FeedController.php
@@ -46,10 +46,10 @@ class FeedController extends ShaarliVisitorController
        $data = $this->container->feedBuilder->buildData($feedType, $request->getParams());
-        $this->executePageHooks('render_feed', $data, $feedType);
+        $this->executePageHooks('render_feed', $data, 'feed.' . $feedType);
        $this->assignAllView($data);
-        $content = $this->render('feed.'. $feedType);
+        $content = $this->render('feed.' . $feedType);
        $cache->cache($content);
diff --git a/application/front/controller/visitor/ShaarliVisitorController.php b/application/front/controller/visitor/ShaarliVisitorController.php
index f17c8ed3..55c075a2 100644
--- a/application/front/controller/visitor/ShaarliVisitorController.php
+++ b/application/front/controller/visitor/ShaarliVisitorController.php
@@ -78,16 +78,14 @@ abstract class ShaarliVisitorController
            'footer',
        ];
+        $parameters = $this->buildPluginParameters($template);
        foreach ($common_hooks as $name) {
            $pluginData = [];
            $this->container->pluginManager->executeHooks(
                'render_' . $name,
                $pluginData,
-                [
+                $parameters
-                    'target' => $template,
-                    'loggedin' => $this->container->loginManager->isLoggedIn(),
-                    'basePath' => $this->container->basePath,
-                ]
            );
            $this->assignView('plugins_' . $name, $pluginData);
        }
@@ -95,19 +93,23 @@ abstract class ShaarliVisitorController
    protected function executePageHooks(string $hook, array &$data, string $template = null): void
    {
-        $params = [
-            'target' => $template,
-            'loggedin' => $this->container->loginManager->isLoggedIn(),
-            'basePath' => $this->container->basePath,
-        ];
        $this->container->pluginManager->executeHooks(
            $hook,
            $data,
-            $params
+            $this->buildPluginParameters($template)
        );
    }
+    protected function buildPluginParameters(?string $template): array
+    {
+        return [
+            'target' => $template,
+            'loggedin' => $this->container->loginManager->isLoggedIn(),
+            'basePath' => $this->container->basePath,
+            'bookmarkService' => $this->container->bookmarkService
+        ];
+    }
    /**
     * Simple helper which prepend the base path to redirect path.
     *
@@ -140,6 +142,13 @@ abstract class ShaarliVisitorController
        if (null !== $referer) {
            $currentUrl = parse_url($referer);
+            // If the referer is not related to Shaarli instance, redirect to default
+            if (isset($currentUrl['host'])
+                && strpos(index_url($this->container->environment), $currentUrl['host']) === false
+            ) {
+                return $response->withRedirect($defaultPath);
+            }
            parse_str($currentUrl['query'] ?? '', $params);
            $path = $currentUrl['path'] ?? $defaultPath;
        } else {
diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
index f9c529bc..76ed7690 100644
--- a/application/front/controller/visitor/TagCloudController.php
+++ b/application/front/controller/visitor/TagCloudController.php
@@ -66,10 +66,18 @@ class TagCloudController extends ShaarliVisitorController
            $tags = $this->formatTagsForCloud($tags);
        }
+        $tagsUrl = [];
+        foreach ($tags as $tag => $value) {
+            $tagsUrl[escape($tag)] = urlencode((string) $tag);
+        }
        $searchTags = implode(' ', escape($filteringTags));
+        $searchTagsUrl = urlencode(implode(' ', $filteringTags));
        $data = [
-            'search_tags' => $searchTags,
+            'search_tags' => escape($searchTags),
-            'tags' => $tags,
+            'search_tags_url' => $searchTagsUrl,
+            'tags' => escape($tags),
+            'tags_url' => $tagsUrl,
        ];
        $this->executePageHooks('render_tag' . $type, $data, 'tag.' . $type);
        $this->assignAllView($data);