7 files changed, 82 insertions, 32 deletions
diff --git a/doc/md/Docker.md b/doc/md/Docker.md
index c152fe92..fc406c00 100644
--- a/doc/md/Docker.md
+++ b/doc/md/Docker.md
@@ -1,3 +1,4 @@
 # Docker
 [Docker](https://docs.docker.com/get-started/overview/) is an open platform for developing, shipping, and running applications
@@ -113,9 +114,11 @@ $ mkdir shaarli && cd shaarli
 # Download the latest version of Shaarli's docker-compose.yml
 $ curl -L https://raw.githubusercontent.com/shaarli/Shaarli/latest/docker-compose.yml -o docker-compose.yml
 # Create the .env file and fill in your VPS and domain information
-# (replace <MY_SHAARLI_DOMAIN> and <MY_CONTACT_EMAIL> with your actual information)
+# (replace <shaarli.mydomain.org>, <admin@mydomain.org> and <latest> with your actual information)
 $ echo 'SHAARLI_VIRTUAL_HOST=shaarli.mydomain.org' > .env
 $ echo 'SHAARLI_LETSENCRYPT_EMAIL=admin@mydomain.org' >> .env
+# Available Docker tags can be found at https://hub.docker.com/r/shaarli/shaarli/tags
+$ echo 'SHAARLI_DOCKER_TAG=latest' >> .env
 # Pull the Docker images
 $ docker-compose pull
 # Run!
@@ -224,4 +227,4 @@ $ docker system prune
 - [docker pull](https://docs.docker.com/engine/reference/commandline/pull/)
 - [docker run](https://docs.docker.com/engine/reference/commandline/run/)
 - [docker-compose logs](https://docs.docker.com/compose/reference/logs/)
- Træfik: [Getting Started](https://docs.traefik.io/), [Docker backend](https://docs.traefik.io/configuration/backends/docker/), [Let's Encrypt](https://docs.traefik.io/user-guide/docker-and-lets-encrypt/), [Docker image](https://hub.docker.com/_/traefik/)
-\ No newline at end of file
+- Træfik: [Getting Started](https://docs.traefik.io/), [Docker backend](https://docs.traefik.io/configuration/backends/docker/), [Let's Encrypt](https://docs.traefik.io/user-guide/docker-and-lets-encrypt/), [Docker image](https://hub.docker.com/_/traefik/)
diff --git a/doc/md/REST-API.md b/doc/md/REST-API.md
index 01071d8e..2a36ea29 100644
--- a/doc/md/REST-API.md
+++ b/doc/md/REST-API.md
@@ -73,7 +73,7 @@ var_dump(getInfo($baseUrl, $secret));
 ### Authentication
 - All requests to Shaarli's API must include a **JWT token** to verify their authenticity.
- This token must be included as an HTTP header called `Authentication: Bearer <jwt token>`.
+- This token must be included as an HTTP header called `Authorization: Bearer <jwt token>`.
 - JWT tokens are composed by three parts, separated by a dot `.` and encoded in base64:
 ```
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index 8cb39934..a49b6033 100644
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -193,19 +193,24 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
        Require all granted
    </Directory>
-    <LocationMatch "/\.">
+    # BE CAREFUL: directives order matter!
-        # Prevent accessing dotfiles
-        RedirectMatch 404 ".*"
-    </LocationMatch>
-    <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
+    <FilesMatch ".*\.(?!(ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$)[^\.]*$">
+        Require all denied
+    </FilesMatch>
+    <Files "index.php">
+        Require all granted
+    </Files>
+    <FilesMatch "\.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2)$">
        # allow client-side caching of static files
        Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
-    </LocationMatch>
+    </FilesMatch>
    # serve the Shaarli favicon from its custom location
    Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
 </VirtualHost>
 ```
@@ -296,7 +301,7 @@ server {
    location / {
        # default index file when no file URI is requested
        index index.php;
-        try_files $uri /index.php$is_args$args;
+        try_files _ /index.php$is_args$args;
    }
    location ~ (index)\.php$ {
@@ -309,20 +314,9 @@ server {
        include        fastcgi.conf;
    }
-    location ~ \.php$ {
+    location ~ /doc/html/ {
-        # deny access to all other PHP scripts
+        default_type "text/html";
-        # disable this if you host other PHP applications on the same virtualhost
+        try_files $uri $uri/ $uri.html =404;
-        deny all;
-    }
-    location ~ /\. {
-        # deny access to dotfiles
-        deny all;
-    }
-    location ~ ~$ {
-        # deny access to temp editor files, e.g. "script.php~"
-        deny all;
    }
    location = /favicon.ico {
@@ -331,13 +325,12 @@ server {
    }
    # allow client-side caching of static files
-    location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+    location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
        expires    max;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        # HTTP 1.0 compatibility
        add_header Pragma public;
    }
 }
 ```
diff --git a/doc/md/Shaarli-configuration.md b/doc/md/Shaarli-configuration.md
index 263fb761..b1326cce 100644
--- a/doc/md/Shaarli-configuration.md
+++ b/doc/md/Shaarli-configuration.md
@@ -74,6 +74,7 @@ Some settings can be configured directly from a web browser by accesing the `Too
        "timezone": "Europe\/Paris",
        "title": "My Shaarli",
        "header_link": "?"
+        "tags_separator": " "
    },
    "dev": {
        "debug": false,
@@ -150,8 +151,10 @@ _These settings should not be edited_
 - **timezone**: See [the list of supported timezones](http://php.net/manual/en/timezones.php).
 - **enabled_plugins**: List of enabled plugins.
 - **default_note_title**: Default title of a new note.
+- **enable_async_metadata** (boolean): Retrieve external bookmark metadata asynchronously to prevent bookmark creation slowdown.
 - **retrieve_description** (boolean): If set to true, for every new Shaare Shaarli will try to retrieve the description and keywords from the HTML meta tags.
 - **root_url**: Overrides automatic discovery of Shaarli instance's URL (e.g.) `https://sub.domain.tld/shaarli-folder/`.
+- **tags_separator**: Defines your tags separator (default: whitespace).
 ### Security
@@ -163,6 +166,22 @@ _These settings should not be edited_
 - **trusted_proxies**: List of trusted IP which won't be banned after failed login attemps. Useful if Shaarli is behind a reverse proxy.
 - **allowed_protocols**: List of allowed protocols in shaare URLs or markdown-rendered descriptions. Useful if you want to store `javascript:` links (bookmarklets) in Shaarli (default: `["ftp", "ftps", "magnet"]`).
+### Formatter
+Single string value. Default available:
+  - `default`: supports line breaks, URL and hashtag auto-links.
+  - `markdown`: supports [Markdown](https://daringfireball.net/projects/markdown/syntax).
+  - `markdownExtra`: adds [extra](https://michelf.ca/projects/php-markdown/extra/) flavor to Markdown.
+### Formatter Settings
+Additional settings applied to formatters.
+#### default
+  - **autolink**: boolean to enable or disable automatic linkification of URL and hashtags.
 ### Resources
 - **data_dir**: Data directory.
diff --git a/doc/md/dev/Development.md b/doc/md/dev/Development.md
index 5c085e03..c42e8ffe 100644
--- a/doc/md/dev/Development.md
+++ b/doc/md/dev/Development.md
@@ -6,7 +6,7 @@ Please read [Contributing to Shaarli](https://github.com/shaarli/Shaarli/tree/ma
 - [Unit tests](Unit-tests)
- Javascript linting - Shaarli uses [Airbnb JavaScript Style Guide](https://github.com/airbnb/javascript). 
+- Javascript linting - Shaarli uses [Airbnb JavaScript Style Guide](https://github.com/airbnb/javascript).
 Run `make eslint` to check JS style.
 - [GnuPG signature](GnuPG-signature) for tags/releases
@@ -51,12 +51,12 @@ PHP (managed through [`composer.json`](https://github.com/shaarli/Shaarli/blob/m
 ## Link structure
-Every link available through the `LinkDB` object is represented as an array 
+Every link available through the `LinkDB` object is represented as an array
 containing the following fields:
  * `id` (integer): Unique identifier.
  * `title` (string): Title of the link.
-  * `url` (string): URL of the link. Used for displayable links (without redirector, url encoding, etc.).  
+  * `url` (string): URL of the link. Used for displayable links (without redirector, url encoding, etc.).
           Can be absolute or relative for Notes.
  * `real_url` (string): Real destination URL, can be redirected, encoded, etc.
  * `shorturl` (string): Permalink small hash.
@@ -66,7 +66,7 @@ containing the following fields:
  * `thumbnail` (string|boolean): relative path of the thumbnail cache file, or false if there isn't any.
  * `created` (DateTime): link creation date time.
  * `updated` (DateTime): last modification date time.
-  
 Small hashes are used to make a link to an entry in Shaarli. They are unique: the date of the item (eg. `20110923_150523`) is hashed with CRC32, then converted to base64 and some characters are replaced. They are always 6 characters longs and use only `A-Z a-z 0-9 - _` and `@`.
@@ -163,11 +163,13 @@ See [`.travis.yml`](https://github.com/shaarli/Shaarli/blob/master/.travis.yml).
 ## Static analysis
-Patches should try to stick to the [PHP Standard Recommendations](http://www.php-fig.org/psr/) (PSR), especially:
+Patches should try to stick to the [PHP Standard Recommendations](http://www.php-fig.org/psr/) (PSR), and must follow:
 - [PSR-1](http://www.php-fig.org/psr/psr-1/) - Basic Coding Standard
 - [PSR-2](http://www.php-fig.org/psr/psr-2/) - Coding Style Guide
+- [PSR-12](http://www.php-fig.org/psr/psr-12/) - Extended Coding Style  Guide
+These are enforced on pull requests using our Continuous Integration tools.
 **Work in progress:** Static analysis is currently being discussed here: in [#95 - Fix coding style (static analysis)](https://github.com/shaarli/Shaarli/issues/95), [#130 - Continuous Integration tools & features](https://github.com/shaarli/Shaarli/issues/130)
diff --git a/doc/md/dev/Plugin-system.md b/doc/md/dev/Plugin-system.md
index f09fadc2..79654011 100644
--- a/doc/md/dev/Plugin-system.md
+++ b/doc/md/dev/Plugin-system.md
@@ -139,6 +139,31 @@ Each file contain two keys:
 > Note: In PHP, `parse_ini_file()` seems to want strings to be between by quotes `"` in the ini file.
+### Register plugin's routes
+Shaarli lets you register custom Slim routes for your plugin.
+To register a route, the plugin must include a function called `function <plugin_name>_register_routes(): array`.
+This method must return an array of routes, each entry must contain the following keys:
+  - `method`: HTTP method, `GET/POST/PUT/PATCH/DELETE`
+  - `route` (path): without prefix, e.g. `/up/{variable}`
+     It will be later prefixed by `/plugin/<plugin name>/`.
+  - `callable` string, function name or FQN class's method to execute, e.g. `demo_plugin_custom_controller`.
+Callable functions or methods must have `Slim\Http\Request` and `Slim\Http\Response` parameters
+and return a `Slim\Http\Response`. We recommend creating a dedicated class and extend either
+`ShaarliVisitorController` or `ShaarliAdminController` to use helper functions they provide.
+A dedicated plugin template is available for rendering content: `pluginscontent.html` using `content` placeholder.
+> **Warning**: plugins are not able to use RainTPL template engine for their content due to technical restrictions.
+> RainTPL does not allow to register multiple template folders, so all HTML rendering must be done within plugin
+> custom controller.
+Check out the `demo_plugin` for a live example: `GET <shaarli_url>/plugin/demo_plugin/custom`.
 ### Understanding relative paths
 Because Shaarli is a self-hosted tool, an instance can either be installed at the root directory, or under a subfolder.
diff --git a/doc/md/dev/Release-Shaarli.md b/doc/md/dev/Release-Shaarli.md
index 2c772406..d79be9ce 100644
--- a/doc/md/dev/Release-Shaarli.md
+++ b/doc/md/dev/Release-Shaarli.md
@@ -64,6 +64,14 @@ git pull upstream master
 # If releasing a new minor version, create a release branch
 $ git checkout -b v0.x
+# Otherwise just use the existing one
+$ git checkout v0.x
+# Get the latest changes
+$ git merge master
+# Check that everything went fine:
+$ make test
 # Bump shaarli_version.php from dev to 0.x.0, **without the v**
 $ vim shaarli_version.php