31 files changed, 282 insertions, 211 deletions

diff --git a/application/Utils.php b/application/Utils.php
index 9c9eaaa2..bcfda65c 100644
--- a/application/Utils.php
+++ b/application/Utils.php
@@ -95,14 +95,14 @@ function escape($input)
         return null;
     }
 
-    if (is_bool($input)) {
+    if (is_bool($input) || is_int($input) || is_float($input) || $input instanceof DateTimeInterface) {
         return $input;
     }
 
     if (is_array($input)) {
         $out = array();
         foreach ($input as $key => $value) {
-            $out[$key] = escape($value);
+            $out[escape($key)] = escape($value);
         }
         return $out;
     }
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php
index 09ce6445..f5b53b01 100644
--- a/application/api/ApiMiddleware.php
+++ b/application/api/ApiMiddleware.php
@@ -107,7 +107,9 @@ class ApiMiddleware
      */
     protected function checkToken($request)
     {
-        if (! $request->hasHeader('Authorization')) {
+        if (!$request->hasHeader('Authorization')
+            && !isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])
+        ) {
             throw new ApiAuthorizationException('JWT token not provided');
         }
 
@@ -115,7 +117,11 @@ class ApiMiddleware
             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
         }
 
-        $authorization = $request->getHeaderLine('Authorization');
+        if (isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])) {
+            $authorization = $this->container->environment['REDIRECT_HTTP_AUTHORIZATION'];
+        } else {
+            $authorization = $request->getHeaderLine('Authorization');
+        }
 
         if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
             throw new ApiAuthorizationException('Invalid JWT header');
diff --git a/application/api/ApiUtils.php b/application/api/ApiUtils.php
index faebb8f5..4a6326f0 100644
--- a/application/api/ApiUtils.php
+++ b/application/api/ApiUtils.php
@@ -94,7 +94,7 @@ class ApiUtils
      *
      * @return Bookmark instance.
      */
-    public static function buildLinkFromRequest($input, $defaultPrivate)
+    public static function buildBookmarkFromRequest($input, $defaultPrivate): Bookmark
     {
         $bookmark = new Bookmark();
         $url = ! empty($input['url']) ? cleanup_url($input['url']) : '';
@@ -110,6 +110,15 @@ class ApiUtils
         $bookmark->setTags(! empty($input['tags']) ? $input['tags'] : []);
         $bookmark->setPrivate($private);
 
+        $created = \DateTime::createFromFormat(\DateTime::ATOM, $input['created'] ?? '');
+        if ($created instanceof \DateTimeInterface) {
+            $bookmark->setCreated($created);
+        }
+        $updated = \DateTime::createFromFormat(\DateTime::ATOM, $input['updated'] ?? '');
+        if ($updated instanceof \DateTimeInterface) {
+            $bookmark->setUpdated($updated);
+        }
+
         return $bookmark;
     }
 
diff --git a/application/api/controllers/ApiController.php b/application/api/controllers/ApiController.php
index c4b3d0c3..88a845eb 100644
--- a/application/api/controllers/ApiController.php
+++ b/application/api/controllers/ApiController.php
@@ -4,6 +4,7 @@ namespace Shaarli\Api\Controllers;
 
 use Shaarli\Bookmark\BookmarkServiceInterface;
 use Shaarli\Config\ConfigManager;
+use Shaarli\History;
 use Slim\Container;
 
 /**
@@ -31,7 +32,7 @@ abstract class ApiController
     protected $bookmarkService;
 
     /**
-     * @var HistoryController
+     * @var History
      */
     protected $history;
 
diff --git a/application/api/controllers/Links.php b/application/api/controllers/Links.php
index 29247950..778097fd 100644
--- a/application/api/controllers/Links.php
+++ b/application/api/controllers/Links.php
@@ -116,7 +116,7 @@ class Links extends ApiController
     public function postLink($request, $response)
     {
         $data = $request->getParsedBody();
-        $bookmark = ApiUtils::buildLinkFromRequest($data, $this->conf->get('privacy.default_private_links'));
+        $bookmark = ApiUtils::buildBookmarkFromRequest($data, $this->conf->get('privacy.default_private_links'));
         // duplicate by URL, return 409 Conflict
         if (! empty($bookmark->getUrl())
             && ! empty($dup = $this->bookmarkService->findByUrl($bookmark->getUrl()))
@@ -155,7 +155,7 @@ class Links extends ApiController
         $index = index_url($this->ci['environment']);
         $data = $request->getParsedBody();
 
-        $requestBookmark = ApiUtils::buildLinkFromRequest($data, $this->conf->get('privacy.default_private_links'));
+        $requestBookmark = ApiUtils::buildBookmarkFromRequest($data, $this->conf->get('privacy.default_private_links'));
         // duplicate URL on a different link, return 409 Conflict
         if (! empty($requestBookmark->getUrl())
             && ! empty($dup = $this->bookmarkService->findByUrl($requestBookmark->getUrl()))
diff --git a/application/bookmark/BookmarkFileService.php b/application/bookmark/BookmarkFileService.php
index e3a61146..c9ec2609 100644
--- a/application/bookmark/BookmarkFileService.php
+++ b/application/bookmark/BookmarkFileService.php
@@ -362,7 +362,9 @@ class BookmarkFileService implements BookmarkServiceInterface
      */
     public function filterDay($request)
     {
-        return $this->bookmarkFilter->filter(BookmarkFilter::$FILTER_DAY, $request);
+        $visibility = $this->isLoggedIn ? BookmarkFilter::$ALL : BookmarkFilter::$PUBLIC;
+
+        return $this->bookmarkFilter->filter(BookmarkFilter::$FILTER_DAY, $request, false, $visibility);
     }
 
     /**
diff --git a/application/bookmark/BookmarkFilter.php b/application/bookmark/BookmarkFilter.php
index 797a36b8..6636bbfe 100644
--- a/application/bookmark/BookmarkFilter.php
+++ b/application/bookmark/BookmarkFilter.php
@@ -115,7 +115,7 @@ class BookmarkFilter
                     return $this->filterTags($request, $casesensitive, $visibility);
                 }
             case self::$FILTER_DAY:
-                return $this->filterDay($request);
+                return $this->filterDay($request, $visibility);
             default:
                 return $this->noFilter($visibility);
         }
@@ -425,21 +425,26 @@ class BookmarkFilter
      *  print_r($mydb->filterDay('20120125'));
      *
      * @param string $day day to filter.
-     *
+     * @param string $visibility return only all/private/public bookmarks.
+
      * @return array all link matching given day.
      *
      * @throws Exception if date format is invalid.
      */
-    public function filterDay($day)
+    public function filterDay($day, $visibility)
     {
         if (!checkDateFormat('Ymd', $day)) {
             throw new Exception('Invalid date format');
         }
 
         $filtered = [];
-        foreach ($this->bookmarks as $key => $l) {
-            if ($l->getCreated()->format('Ymd') == $day) {
-                $filtered[$key] = $l;
+        foreach ($this->bookmarks as $key => $bookmark) {
+            if ($visibility === static::$PUBLIC && $bookmark->isPrivate()) {
+                continue;
+            }
+
+            if ($bookmark->getCreated()->format('Ymd') == $day) {
+                $filtered[$key] = $bookmark;
             }
         }
 
diff --git a/application/bookmark/BookmarkInitializer.php b/application/bookmark/BookmarkInitializer.php
index cd2d1724..815047e3 100644
--- a/application/bookmark/BookmarkInitializer.php
+++ b/application/bookmark/BookmarkInitializer.php
@@ -34,25 +34,77 @@ class BookmarkInitializer
     public function initialize()
     {
         $bookmark = new Bookmark();
-        $bookmark->setTitle(t('My secret stuff... - Pastebin.com'));
-        $bookmark->setUrl('http://sebsauvage.net/paste/?8434b27936c09649#bR7XsXhoTiLcqCpQbmOpBi3rq2zzQUC5hBI7ZT1O3x8=');
-        $bookmark->setDescription(t('Shhhh! I\'m a private link only YOU can see. You can delete me too.'));
-        $bookmark->setTagsString('secretstuff');
+        $bookmark->setTitle('quicksilver (loop) on Vimeo ' . t('(private bookmark with thumbnail demo)'));
+        $bookmark->setUrl('https://vimeo.com/153493904');
+        $bookmark->setDescription(t(
+'Shaarli will automatically pick up the thumbnail for links to a variety of websites.
+
+Explore your new Shaarli instance by trying out controls and menus.
+Visit the project on [Github](https://github.com/shaarli/Shaarli) or [the documentation](https://shaarli.readthedocs.io/en/master/) to learn more about Shaarli.
+
+Now you can edit or delete the default shaares.
+'
+        ));
+        $bookmark->setTagsString('shaarli help thumbnail');
+        $bookmark->setPrivate(true);
+        $this->bookmarkService->add($bookmark, false);
+
+        $bookmark = new Bookmark();
+        $bookmark->setTitle(t('Note: Shaare descriptions'));
+        $bookmark->setDescription(t(
+'Adding a shaare without entering a URL creates a text-only "note" post such as this one.
+This note is private, so you are the only one able to see it while logged in.
+
+You can use this to keep notes, post articles, code snippets, and much more.
+
+The Markdown formatting setting allows you to format your notes and bookmark description:
+
+### Title headings
+
+#### Multiple headings levels
+  * bullet lists
+  * _italic_ text
+  * **bold** text
+  * ~~strike through~~ text
+  * `code` blocks
+  * images
+  * [links](https://en.wikipedia.org/wiki/Markdown)
+
+Markdown also supports tables:
+
+| Name    | Type      | Color  | Qty   |
+| ------- | --------- | ------ | ----- |
+| Orange  | Fruit     | Orange | 126   |
+| Apple   | Fruit     | Any    | 62    |
+| Lemon   | Fruit     | Yellow | 30    |
+| Carrot  | Vegetable | Red    | 14    |
+'
+        ));
+        $bookmark->setTagsString('shaarli help');
         $bookmark->setPrivate(true);
         $this->bookmarkService->add($bookmark, false);
 
         $bookmark = new Bookmark();
-        $bookmark->setTitle(t('The personal, minimalist, super-fast, database free, bookmarking service'));
-        $bookmark->setUrl('https://shaarli.readthedocs.io', []);
+        $bookmark->setTitle(
+            'Shaarli - ' . t('The personal, minimalist, super-fast, database free, bookmarking service')
+        );
         $bookmark->setDescription(t(
-            'Welcome to Shaarli! This is your first public bookmark. '
-            . 'To edit or delete me, you must first login.
+'Welcome to Shaarli!
+
+Shaarli allows you to bookmark your favorite pages, and share them with others or store them privately.
+You can add a description to your bookmarks, such as this one, and tag them.
+
+Create a new shaare by clicking the `+Shaare` button, or using any of the recommended tools (browser extension, mobile app, bookmarklet, REST API, etc.).
 
-To learn how to use Shaarli, consult the link "Documentation" at the bottom of this page.
+You can easily retrieve your links, even with thousands of them, using the internal search engine, or search through tags (e.g. this Shaare is tagged with `shaarli` and `help`).
+Hashtags such as #shaarli #help are also supported.
+You can also filter the available [RSS feed](/feed/atom) and picture wall by tag or plaintext search.
 
-You use the community supported version of the original Shaarli project, by Sebastien Sauvage.'
+We hope that you will enjoy using Shaarli, maintained with ❤️ by the community!
+Feel free to open [an issue](https://github.com/shaarli/Shaarli/issues) if you have a suggestion or encounter an issue.
+'
         ));
-        $bookmark->setTagsString('opensource software');
+        $bookmark->setTagsString('shaarli help');
         $this->bookmarkService->add($bookmark, false);
     }
 }
diff --git a/application/bookmark/LinkUtils.php b/application/bookmark/LinkUtils.php
index 03e1b82a..faf5dbfd 100644
--- a/application/bookmark/LinkUtils.php
+++ b/application/bookmark/LinkUtils.php
@@ -26,7 +26,7 @@ function html_extract_title($html)
  */
 function header_extract_charset($header)
 {
-    preg_match('/charset="?([^; ]+)/i', $header, $match);
+    preg_match('/charset=["\']?([^; "\']+)/i', $header, $match);
     if (! empty($match[1])) {
         return strtolower(trim($match[1]));
     }
diff --git a/application/config/ConfigJson.php b/application/config/ConfigJson.php
index 4509357c..c0c0dab9 100644
--- a/application/config/ConfigJson.php
+++ b/application/config/ConfigJson.php
@@ -46,7 +46,7 @@ class ConfigJson implements ConfigIO
         // JSON_PRETTY_PRINT is available from PHP 5.4.
         $print = defined('JSON_PRETTY_PRINT') ? JSON_PRETTY_PRINT : 0;
         $data = self::getPhpHeaders() . json_encode($conf, $print) . self::getPhpSuffix();
-        if (!file_put_contents($filepath, $data)) {
+        if (empty($filepath) || !file_put_contents($filepath, $data)) {
             throw new \Shaarli\Exceptions\IOException(
                 $filepath,
                 t('Shaarli could not create the config file. '.
diff --git a/application/container/ContainerBuilder.php b/application/container/ContainerBuilder.php
index 58067c99..55bb51b5 100644
--- a/application/container/ContainerBuilder.php
+++ b/application/container/ContainerBuilder.php
@@ -10,6 +10,7 @@ use Shaarli\Config\ConfigManager;
 use Shaarli\Feed\FeedBuilder;
 use Shaarli\Formatter\FormatterFactory;
 use Shaarli\Front\Controller\Visitor\ErrorController;
+use Shaarli\Front\Controller\Visitor\ErrorNotFoundController;
 use Shaarli\History;
 use Shaarli\Http\HttpAccess;
 use Shaarli\Netscape\NetscapeBookmarkUtils;
@@ -149,6 +150,9 @@ class ContainerBuilder
             );
         };
 
+        $container['notFoundHandler'] = function (ShaarliContainer $container): ErrorNotFoundController {
+            return new ErrorNotFoundController($container);
+        };
         $container['errorHandler'] = function (ShaarliContainer $container): ErrorController {
             return new ErrorController($container);
         };
diff --git a/application/container/ShaarliContainer.php b/application/container/ShaarliContainer.php
index 9a9a974a..66e669aa 100644
--- a/application/container/ShaarliContainer.php
+++ b/application/container/ShaarliContainer.php
@@ -24,21 +24,22 @@ use Slim\Container;
 /**
  * Extension of Slim container to document the injected objects.
  *
- * @property string                   $basePath             Shaarli's instance base path (e.g. `/shaarli/`)
+ * @property string                   $basePath              Shaarli's instance base path (e.g. `/shaarli/`)
  * @property BookmarkServiceInterface $bookmarkService
  * @property CookieManager            $cookieManager
  * @property ConfigManager            $conf
- * @property mixed[]                  $environment          $_SERVER automatically injected by Slim
- * @property callable                 $errorHandler         Overrides default Slim exception display
+ * @property mixed[]                  $environment           $_SERVER automatically injected by Slim
+ * @property callable                 $errorHandler          Overrides default Slim exception display
  * @property FeedBuilder              $feedBuilder
  * @property FormatterFactory         $formatterFactory
  * @property History                  $history
  * @property HttpAccess               $httpAccess
  * @property LoginManager             $loginManager
  * @property NetscapeBookmarkUtils    $netscapeBookmarkUtils
+ * @property callable                 $notFoundHandler       Overrides default Slim exception display
  * @property PageBuilder              $pageBuilder
  * @property PageCacheManager         $pageCacheManager
- * @property callable                 $phpErrorHandler      Overrides default Slim PHP error display
+ * @property callable                 $phpErrorHandler       Overrides default Slim PHP error display
  * @property PluginManager            $pluginManager
  * @property SessionManager           $sessionManager
  * @property Thumbnailer              $thumbnailer
diff --git a/application/feed/FeedBuilder.php b/application/feed/FeedBuilder.php
index 3653c32f..f6def630 100644
--- a/application/feed/FeedBuilder.php
+++ b/application/feed/FeedBuilder.php
@@ -122,9 +122,9 @@ class FeedBuilder
         $data['language'] = $this->getTypeLanguage($feedType);
         $data['last_update'] = $this->getLatestDateFormatted($feedType);
         $data['show_dates'] = !$this->hideDates || $this->isLoggedIn;
-        // Remove leading slash from REQUEST_URI.
-        $data['self_link'] = escape(server_url($this->serverInfo))
-            . escape($this->serverInfo['REQUEST_URI']);
+        // Remove leading path from REQUEST_URI (already contained in $pageaddr).
+        $requestUri = preg_replace('#(.*?/)(feed.*)#', '$2', escape($this->serverInfo['REQUEST_URI']));
+        $data['self_link'] = $pageaddr . $requestUri;
         $data['index_url'] = $pageaddr;
         $data['usepermalinks'] = $this->usePermalinks === true;
         $data['links'] = $linkDisplayed;
diff --git a/application/formatter/BookmarkFormatter.php b/application/formatter/BookmarkFormatter.php
index 22ba7aae..0042dafe 100644
--- a/application/formatter/BookmarkFormatter.php
+++ b/application/formatter/BookmarkFormatter.php
@@ -58,7 +58,9 @@ abstract class BookmarkFormatter
         $out['title'] = $this->formatTitle($bookmark);
         $out['description'] = $this->formatDescription($bookmark);
         $out['thumbnail'] = $this->formatThumbnail($bookmark);
+        $out['urlencoded_taglist'] = $this->formatUrlEncodedTagList($bookmark);
         $out['taglist'] = $this->formatTagList($bookmark);
+        $out['urlencoded_tags'] = $this->formatUrlEncodedTagString($bookmark);
         $out['tags'] = $this->formatTagString($bookmark);
         $out['sticky'] = $bookmark->isSticky();
         $out['private'] = $bookmark->isPrivate();
@@ -182,6 +184,18 @@ abstract class BookmarkFormatter
     }
 
     /**
+     * Format Url Encoded Tags
+     *
+     * @param Bookmark $bookmark instance
+     *
+     * @return array formatted Tags
+     */
+    protected function formatUrlEncodedTagList($bookmark)
+    {
+        return array_map('urlencode', $this->filterTagList($bookmark->getTags()));
+    }
+
+    /**
      * Format TagString
      *
      * @param Bookmark $bookmark instance
@@ -194,6 +208,18 @@ abstract class BookmarkFormatter
     }
 
     /**
+     * Format TagString
+     *
+     * @param Bookmark $bookmark instance
+     *
+     * @return string formatted TagString
+     */
+    protected function formatUrlEncodedTagString($bookmark)
+    {
+        return implode(' ', $this->formatUrlEncodedTagList($bookmark));
+    }
+
+    /**
      * Format Class
      * Used to add specific CSS class for a link
      *
diff --git a/application/formatter/BookmarkMarkdownExtraFormatter.php b/application/formatter/BookmarkMarkdownExtraFormatter.php
new file mode 100644
index 00000000..0694b23f
--- /dev/null
+++ b/application/formatter/BookmarkMarkdownExtraFormatter.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Shaarli\Formatter;
+
+use Shaarli\Config\ConfigManager;
+
+/**
+ * Class BookmarkMarkdownExtraFormatter
+ *
+ * Format bookmark description into MarkdownExtra format.
+ *
+ * @see https://michelf.ca/projects/php-markdown/extra/
+ *
+ * @package Shaarli\Formatter
+ */
+class BookmarkMarkdownExtraFormatter extends BookmarkMarkdownFormatter
+{
+    public function __construct(ConfigManager $conf, bool $isLoggedIn)
+    {
+        parent::__construct($conf, $isLoggedIn);
+
+        $this->parsedown = new \ParsedownExtra();
+    }
+}
diff --git a/application/front/controller/admin/ConfigureController.php b/application/front/controller/admin/ConfigureController.php
index e675fcca..0ed7ad81 100644
--- a/application/front/controller/admin/ConfigureController.php
+++ b/application/front/controller/admin/ConfigureController.php
@@ -30,7 +30,7 @@ class ConfigureController extends ShaarliAdminController
             'theme_available',
             ThemeUtils::getThemes($this->container->conf->get('resource.raintpl_tpl'))
         );
-        $this->assignView('formatter_available', ['default', 'markdown']);
+        $this->assignView('formatter_available', ['default', 'markdown', 'markdownExtra']);
         list($continents, $cities) = generateTimeZoneData(
             timezone_identifiers_list(),
             $this->container->conf->get('general.timezone')
diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php
index 33e1188e..bb083486 100644
--- a/application/front/controller/admin/ManageShaareController.php
+++ b/application/front/controller/admin/ManageShaareController.php
@@ -69,7 +69,7 @@ class ManageShaareController extends ShaarliAdminController
                         $retrieveDescription
                     )
                 );
-                if (! empty($title) && strtolower($charset) !== 'utf-8') {
+                if (! empty($title) && strtolower($charset) !== 'utf-8' && mb_check_encoding($charset)) {
                     $title = mb_convert_encoding($title, 'utf-8', $charset);
                 }
             }
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController
                 $title = $this->container->conf->get('general.default_note_title', t('Note: '));
             }
 
-            $link = escape([
+            $link = [
                 'title' => $title,
                 'url' => $url ?? '',
                 'description' => $description ?? '',
                 'tags' => $tags ?? '',
                 'private' => $private,
-            ]);
+            ];
         } else {
             $formatter = $this->container->formatterFactory->getFormatter('raw');
             $link = $formatter->format($bookmark);
@@ -127,7 +127,7 @@ class ManageShaareController extends ShaarliAdminController
         $this->checkToken($request);
 
         // lf_id should only be present if the link exists.
-        $id = $request->getParam('lf_id') ? intval(escape($request->getParam('lf_id'))) : null;
+        $id = $request->getParam('lf_id') !== null ? intval(escape($request->getParam('lf_id'))) : null;
         if (null !== $id && true === $this->container->bookmarkService->exists($id)) {
             // Edit
             $bookmark = $this->container->bookmarkService->get($id);
@@ -169,7 +169,7 @@ class ManageShaareController extends ShaarliAdminController
         return $this->redirectFromReferer(
             $request,
             $response,
-            ['add-shaare', 'shaare'], ['addlink', 'post', 'edit_link'],
+            ['/admin/add-shaare', '/admin/shaare'], ['addlink', 'post', 'edit_link'],
             $bookmark->getShortUrl()
         );
     }
@@ -345,14 +345,14 @@ class ManageShaareController extends ShaarliAdminController
             $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;
         }
 
-        $data = [
+        $data = escape([
             'link' => $link,
             'link_is_new' => $isNew,
-            'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''),
+            'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '',
             'source' => $request->getParam('source') ?? '',
             'tags' => $tags,
             'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),
-        ];
+        ]);
 
         $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);
 
diff --git a/application/front/controller/admin/ManageTagController.php b/application/front/controller/admin/ManageTagController.php
index 0380ef1f..2065c3e2 100644
--- a/application/front/controller/admin/ManageTagController.php
+++ b/application/front/controller/admin/ManageTagController.php
@@ -41,8 +41,8 @@ class ManageTagController extends ShaarliAdminController
 
         $isDelete = null !== $request->getParam('deletetag') && null === $request->getParam('renametag');
 
-        $fromTag = escape(trim($request->getParam('fromtag') ?? ''));
-        $toTag = escape(trim($request->getParam('totag') ?? ''));
+        $fromTag = trim($request->getParam('fromtag') ?? '');
+        $toTag = trim($request->getParam('totag') ?? '');
 
         if (0 === strlen($fromTag) || false === $isDelete && 0 === strlen($toTag)) {
             $this->saveWarningMessage(t('Invalid tags provided.'));
diff --git a/application/front/controller/admin/PluginsController.php b/application/front/controller/admin/PluginsController.php
index 0e09116e..8e059681 100644
--- a/application/front/controller/admin/PluginsController.php
+++ b/application/front/controller/admin/PluginsController.php
@@ -62,6 +62,7 @@ class PluginsController extends ShaarliAdminController
 
             if (isset($parameters['parameters_form'])) {
                 unset($parameters['parameters_form']);
+                unset($parameters['token']);
                 foreach ($parameters as $param => $value) {
                     $this->container->conf->set('plugins.'. $param, escape($value));
                 }
diff --git a/application/front/controller/admin/ShaarliAdminController.php b/application/front/controller/admin/ShaarliAdminController.php
index 3b5939bb..c26c9cbe 100644
--- a/application/front/controller/admin/ShaarliAdminController.php
+++ b/application/front/controller/admin/ShaarliAdminController.php
@@ -4,9 +4,7 @@ declare(strict_types=1);
 
 namespace Shaarli\Front\Controller\Admin;
 
-use Shaarli\Container\ShaarliContainer;
 use Shaarli\Front\Controller\Visitor\ShaarliVisitorController;
-use Shaarli\Front\Exception\UnauthorizedException;
 use Shaarli\Front\Exception\WrongTokenException;
 use Shaarli\Security\SessionManager;
 use Slim\Http\Request;
diff --git a/application/front/controller/visitor/BookmarkListController.php b/application/front/controller/visitor/BookmarkListController.php
index 2988bee6..18368751 100644
--- a/application/front/controller/visitor/BookmarkListController.php
+++ b/application/front/controller/visitor/BookmarkListController.php
@@ -34,7 +34,7 @@ class BookmarkListController extends ShaarliVisitorController
         $formatter = $this->container->formatterFactory->getFormatter();
         $formatter->addContextData('base_path', $this->container->basePath);
 
-        $searchTags = escape(normalize_spaces($request->getParam('searchtags') ?? ''));
+        $searchTags = normalize_spaces($request->getParam('searchtags') ?? '');
         $searchTerm = escape(normalize_spaces($request->getParam('searchterm') ?? ''));;
 
         // Filter bookmarks according search parameters.
@@ -104,8 +104,9 @@ class BookmarkListController extends ShaarliVisitorController
                 'page_current' => $page,
                 'page_max' => $pageCount,
                 'result_count' => count($linksToDisplay),
-                'search_term' => $searchTerm,
-                'search_tags' => $searchTags,
+                'search_term' => escape($searchTerm),
+                'search_tags' => escape($searchTags),
+                'search_tags_url' => array_map('urlencode', explode(' ', $searchTags)),
                 'visibility' => $visibility,
                 'links' => $linkDisp,
             ]
diff --git a/application/front/controller/visitor/DailyController.php b/application/front/controller/visitor/DailyController.php
index 54a4778f..07617cf1 100644
--- a/application/front/controller/visitor/DailyController.php
+++ b/application/front/controller/visitor/DailyController.php
@@ -132,7 +132,7 @@ class DailyController extends ShaarliVisitorController
                 'date' => $dayDatetime,
                 'date_rss' => $dayDatetime->format(DateTime::RSS),
                 'date_human' => format_date($dayDatetime, false, true),
-                'absolute_url' => $indexUrl . '/daily?day=' . $day,
+                'absolute_url' => $indexUrl . 'daily?day=' . $day,
                 'links' => [],
             ];
 
diff --git a/application/front/controller/visitor/ErrorNotFoundController.php b/application/front/controller/visitor/ErrorNotFoundController.php
new file mode 100644
index 00000000..758dd83b
--- /dev/null
+++ b/application/front/controller/visitor/ErrorNotFoundController.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shaarli\Front\Controller\Visitor;
+
+use Slim\Http\Request;
+use Slim\Http\Response;
+
+/**
+ * Controller used to render the 404 error page.
+ */
+class ErrorNotFoundController extends ShaarliVisitorController
+{
+    public function __invoke(Request $request, Response $response): Response
+    {
+        // Request from the API
+        if (false !== strpos($request->getRequestTarget(), '/api/v1')) {
+            return $response->withStatus(404);
+        }
+
+        // This is required because the middleware is ignored if the route is not found.
+        $this->container->basePath = rtrim($request->getUri()->getBasePath(), '/');
+
+        $this->assignView('error_message', t('Requested page could not be found.'));
+
+        return $response->withStatus(404)->write($this->render('404'));
+    }
+}
diff --git a/application/front/controller/visitor/FeedController.php b/application/front/controller/visitor/FeedController.php
index da2848c2..8d8b546a 100644
--- a/application/front/controller/visitor/FeedController.php
+++ b/application/front/controller/visitor/FeedController.php
@@ -46,10 +46,10 @@ class FeedController extends ShaarliVisitorController
 
         $data = $this->container->feedBuilder->buildData($feedType, $request->getParams());
 
-        $this->executePageHooks('render_feed', $data, $feedType);
+        $this->executePageHooks('render_feed', $data, 'feed.' . $feedType);
         $this->assignAllView($data);
 
-        $content = $this->render('feed.'. $feedType);
+        $content = $this->render('feed.' . $feedType);
 
         $cache->cache($content);
 
diff --git a/application/front/controller/visitor/ShaarliVisitorController.php b/application/front/controller/visitor/ShaarliVisitorController.php
index f17c8ed3..55c075a2 100644
--- a/application/front/controller/visitor/ShaarliVisitorController.php
+++ b/application/front/controller/visitor/ShaarliVisitorController.php
@@ -78,16 +78,14 @@ abstract class ShaarliVisitorController
             'footer',
         ];
 
+        $parameters = $this->buildPluginParameters($template);
+
         foreach ($common_hooks as $name) {
             $pluginData = [];
             $this->container->pluginManager->executeHooks(
                 'render_' . $name,
                 $pluginData,
-                [
-                    'target' => $template,
-                    'loggedin' => $this->container->loginManager->isLoggedIn(),
-                    'basePath' => $this->container->basePath,
-                ]
+                $parameters
             );
             $this->assignView('plugins_' . $name, $pluginData);
         }
@@ -95,19 +93,23 @@ abstract class ShaarliVisitorController
 
     protected function executePageHooks(string $hook, array &$data, string $template = null): void
     {
-        $params = [
-            'target' => $template,
-            'loggedin' => $this->container->loginManager->isLoggedIn(),
-            'basePath' => $this->container->basePath,
-        ];
-
         $this->container->pluginManager->executeHooks(
             $hook,
             $data,
-            $params
+            $this->buildPluginParameters($template)
         );
     }
 
+    protected function buildPluginParameters(?string $template): array
+    {
+        return [
+            'target' => $template,
+            'loggedin' => $this->container->loginManager->isLoggedIn(),
+            'basePath' => $this->container->basePath,
+            'bookmarkService' => $this->container->bookmarkService
+        ];
+    }
+
     /**
      * Simple helper which prepend the base path to redirect path.
      *
@@ -140,6 +142,13 @@ abstract class ShaarliVisitorController
 
         if (null !== $referer) {
             $currentUrl = parse_url($referer);
+            // If the referer is not related to Shaarli instance, redirect to default
+            if (isset($currentUrl['host'])
+                && strpos(index_url($this->container->environment), $currentUrl['host']) === false
+            ) {
+                return $response->withRedirect($defaultPath);
+            }
+
             parse_str($currentUrl['query'] ?? '', $params);
             $path = $currentUrl['path'] ?? $defaultPath;
         } else {
diff --git a/application/front/controller/visitor/TagCloudController.php b/application/front/controller/visitor/TagCloudController.php
index f9c529bc..76ed7690 100644
--- a/application/front/controller/visitor/TagCloudController.php
+++ b/application/front/controller/visitor/TagCloudController.php
@@ -66,10 +66,18 @@ class TagCloudController extends ShaarliVisitorController
             $tags = $this->formatTagsForCloud($tags);
         }
 
+        $tagsUrl = [];
+        foreach ($tags as $tag => $value) {
+            $tagsUrl[escape($tag)] = urlencode((string) $tag);
+        }
+
         $searchTags = implode(' ', escape($filteringTags));
+        $searchTagsUrl = urlencode(implode(' ', $filteringTags));
         $data = [
-            'search_tags' => $searchTags,
-            'tags' => $tags,
+            'search_tags' => escape($searchTags),
+            'search_tags_url' => $searchTagsUrl,
+            'tags' => escape($tags),
+            'tags_url' => $tagsUrl,
         ];
         $this->executePageHooks('render_tag' . $type, $data, 'tag.' . $type);
         $this->assignAllView($data);
diff --git a/application/http/HttpUtils.php b/application/http/HttpUtils.php
index 4fc4e3dc..9f414073 100644
--- a/application/http/HttpUtils.php
+++ b/application/http/HttpUtils.php
@@ -369,7 +369,11 @@ function server_url($server)
  */
 function index_url($server)
 {
-    $scriptname = $server['SCRIPT_NAME'] ?? '';
+    if (defined('SHAARLI_ROOT_URL') && null !== SHAARLI_ROOT_URL) {
+        return rtrim(SHAARLI_ROOT_URL, '/') . '/';
+    }
+
+    $scriptname = !empty($server['SCRIPT_NAME']) ? $server['SCRIPT_NAME'] : '/';
     if (endsWith($scriptname, 'index.php')) {
         $scriptname = substr($scriptname, 0, -9);
     }
@@ -392,7 +396,7 @@ function page_url($server)
         $scriptname = substr($scriptname, 0, -9);
     }
 
-    $route = ltrim($server['REQUEST_URI'] ?? '', $scriptname);
+    $route = preg_replace('@^' . $scriptname . '@', '', $server['REQUEST_URI'] ?? '');
     if (! empty($server['QUERY_STRING'])) {
         return index_url($server) . $route . '?' . $server['QUERY_STRING'];
     }
diff --git a/application/legacy/LegacyController.php b/application/legacy/LegacyController.php
index e16dd0f4..826604e7 100644
--- a/application/legacy/LegacyController.php
+++ b/application/legacy/LegacyController.php
@@ -39,13 +39,23 @@ class LegacyController extends ShaarliVisitorController
     /** Legacy route: ?post= */
     public function post(Request $request, Response $response): Response
     {
-        $parameters = count($request->getQueryParams()) > 0 ? '?' . http_build_query($request->getQueryParams()) : '';
         $route = '/admin/shaare';
+        $buildParameters = function (?array $parameters, bool $encode) {
+            if ($encode) {
+                $parameters = array_map('urlencode', $parameters);
+            }
+
+            return count($parameters) > 0 ? '?' . http_build_query($parameters) : '';
+        };
+
 
         if (!$this->container->loginManager->isLoggedIn()) {
+            $parameters = $buildParameters($request->getQueryParams(), true);
             return $this->redirect($response, '/login?returnurl='. $this->getBasePath() . $route . $parameters);
         }
 
+        $parameters = $buildParameters($request->getQueryParams(), false);
+
         return $this->redirect($response, $route . $parameters);
     }
 
diff --git a/application/legacy/LegacyRouter.php b/application/legacy/LegacyRouter.php
index cea99154..0449c7e1 100644
--- a/application/legacy/LegacyRouter.php
+++ b/application/legacy/LegacyRouter.php
@@ -17,15 +17,15 @@ class LegacyRouter
 
     public static $PAGE_PICWALL = 'picwall';
 
-    public static $PAGE_TAGCLOUD = 'tagcloud';
+    public static $PAGE_TAGCLOUD = 'tag.cloud';
 
-    public static $PAGE_TAGLIST = 'taglist';
+    public static $PAGE_TAGLIST = 'tag.list';
 
     public static $PAGE_DAILY = 'daily';
 
-    public static $PAGE_FEED_ATOM = 'atom';
+    public static $PAGE_FEED_ATOM = 'feed.atom';
 
-    public static $PAGE_FEED_RSS = 'rss';
+    public static $PAGE_FEED_RSS = 'feed.rss';
 
     public static $PAGE_TOOLS = 'tools';
 
@@ -37,7 +37,7 @@ class LegacyRouter
 
     public static $PAGE_ADDLINK = 'addlink';
 
-    public static $PAGE_EDITLINK = 'edit_link';
+    public static $PAGE_EDITLINK = 'editlink';
 
     public static $PAGE_DELETELINK = 'delete_link';
 
@@ -60,128 +60,4 @@ class LegacyRouter
     public static $PAGE_THUMBS_UPDATE = 'thumbs_update';
 
     public static $GET_TOKEN = 'token';
-
-    /**
-     * Reproducing renderPage() if hell, to avoid regression.
-     *
-     * This highlights how bad this needs to be rewrite,
-     * but let's focus on plugins for now.
-     *
-     * @param string $query    $_SERVER['QUERY_STRING'].
-     * @param array  $get      $_SERVER['GET'].
-     * @param bool   $loggedIn true if authenticated user.
-     *
-     * @return string page found.
-     */
-    public static function findPage($query, $get, $loggedIn)
-    {
-        $loggedIn = ($loggedIn === true) ? true : false;
-
-        if (empty($query) && !isset($get['edit_link']) && !isset($get['post'])) {
-            return self::$PAGE_LINKLIST;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_LOGIN) && $loggedIn === false) {
-            return self::$PAGE_LOGIN;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_PICWALL)) {
-            return self::$PAGE_PICWALL;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_TAGCLOUD)) {
-            return self::$PAGE_TAGCLOUD;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_TAGLIST)) {
-            return self::$PAGE_TAGLIST;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_OPENSEARCH)) {
-            return self::$PAGE_OPENSEARCH;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_DAILY)) {
-            return self::$PAGE_DAILY;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_FEED_ATOM)) {
-            return self::$PAGE_FEED_ATOM;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_FEED_RSS)) {
-            return self::$PAGE_FEED_RSS;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_THUMBS_UPDATE)) {
-            return self::$PAGE_THUMBS_UPDATE;
-        }
-
-        if (startsWith($query, 'do=' . self::$AJAX_THUMB_UPDATE)) {
-            return self::$AJAX_THUMB_UPDATE;
-        }
-
-        // At this point, only loggedin pages.
-        if (!$loggedIn) {
-            return self::$PAGE_LINKLIST;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_TOOLS)) {
-            return self::$PAGE_TOOLS;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_CHANGEPASSWORD)) {
-            return self::$PAGE_CHANGEPASSWORD;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_CONFIGURE)) {
-            return self::$PAGE_CONFIGURE;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_CHANGETAG)) {
-            return self::$PAGE_CHANGETAG;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_ADDLINK)) {
-            return self::$PAGE_ADDLINK;
-        }
-
-        if (isset($get['edit_link']) || isset($get['post'])) {
-            return self::$PAGE_EDITLINK;
-        }
-
-        if (isset($get['delete_link'])) {
-            return self::$PAGE_DELETELINK;
-        }
-
-        if (isset($get[self::$PAGE_CHANGE_VISIBILITY])) {
-            return self::$PAGE_CHANGE_VISIBILITY;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_PINLINK)) {
-            return self::$PAGE_PINLINK;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_EXPORT)) {
-            return self::$PAGE_EXPORT;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_IMPORT)) {
-            return self::$PAGE_IMPORT;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_PLUGINSADMIN)) {
-            return self::$PAGE_PLUGINSADMIN;
-        }
-
-        if (startsWith($query, 'do=' . self::$PAGE_SAVE_PLUGINSADMIN)) {
-            return self::$PAGE_SAVE_PLUGINSADMIN;
-        }
-
-        if (startsWith($query, 'do=' . self::$GET_TOKEN)) {
-            return self::$GET_TOKEN;
-        }
-
-        return self::$PAGE_LINKLIST;
-    }
 }
diff --git a/application/plugin/PluginManager.php b/application/plugin/PluginManager.php
index 2d93cb3a..1b2197c9 100644
--- a/application/plugin/PluginManager.php
+++ b/application/plugin/PluginManager.php
@@ -100,16 +100,17 @@ class PluginManager
      */
     public function executeHooks($hook, &$data, $params = array())
     {
-        if (!empty($params['target'])) {
-            $data['_PAGE_'] = $params['target'];
-        }
-
-        if (isset($params['loggedin'])) {
-            $data['_LOGGEDIN_'] = $params['loggedin'];
-        }
-
-        if (isset($params['basePath'])) {
-            $data['_BASE_PATH_'] = $params['basePath'];
+        $metadataParameters = [
+            'target' => '_PAGE_',
+            'loggedin' => '_LOGGEDIN_',
+            'basePath' => '_BASE_PATH_',
+            'bookmarkService' => '_BOOKMARK_SERVICE_',
+        ];
+
+        foreach ($metadataParameters as $parameter => $metaKey) {
+            if (array_key_exists($parameter, $params)) {
+                $data[$metaKey] = $params[$parameter];
+            }
         }
 
         foreach ($this->loadedPlugins as $plugin) {
@@ -124,6 +125,10 @@ class PluginManager
                 }
             }
         }
+
+        foreach ($metadataParameters as $metaKey) {
+            unset($data[$metaKey]);
+        }
     }
 
     /**
diff --git a/application/render/PageBuilder.php b/application/render/PageBuilder.php
index c52e3b76..41b357dd 100644
--- a/application/render/PageBuilder.php
+++ b/application/render/PageBuilder.php
@@ -137,7 +137,7 @@ class PageBuilder
         $this->tpl->assign('language', $this->conf->get('translation.language'));
 
         if ($this->bookmarkService !== null) {
-            $this->tpl->assign('tags', $this->bookmarkService->bookmarksCountPerTag());
+            $this->tpl->assign('tags', escape($this->bookmarkService->bookmarksCountPerTag()));
         }
 
         $this->tpl->assign(