diff --git a/htdocs/bookmarks/card.php b/htdocs/bookmarks/card.php
index b8d0949a1f0..5f7687a3d26 100644
--- a/htdocs/bookmarks/card.php
+++ b/htdocs/bookmarks/card.php
@@ -153,7 +153,7 @@ if ($action == 'create')
 
 	print '<table class="border centpercent tableforfieldcreate">';
 
-	print '<tr><td class="titlefieldcreate fieldrequired">'.$langs->trans("BookmarkTitle").'</td><td><input id="titlebookmark" class="flat minwidth100" name="title" value="'.$title.'"></td><td class="hideonsmartphone">'.$langs->trans("SetHereATitleForLink").'</td></tr>';
+	print '<tr><td class="titlefieldcreate fieldrequired">'.$langs->trans("BookmarkTitle").'</td><td><input id="titlebookmark" class="flat minwidth300" name="title" value="'.dol_escape_htmltag($title).'"></td><td class="hideonsmartphone">'.$langs->trans("SetHereATitleForLink").'</td></tr>';
 	dol_set_focus('#titlebookmark');
 
 	// Url
@@ -167,12 +167,12 @@ if ($action == 'create')
 
 	// Owner
 	print '<tr><td>'.$langs->trans("Owner").'</td><td>';
-	print img_picto('', 'user').' '.$form->select_dolusers(isset($_POST['userid']) ? $_POST['userid'] : $user->id, 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth300');
+	print img_picto('', 'user').' '.$form->select_dolusers(GETPOSTISSET('userid') ? GETPOST('userid', 'int') : $user->id, 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth300');
 	print '</td><td class="hideonsmartphone">&nbsp;</td></tr>';
 
 	// Position
 	print '<tr><td>'.$langs->trans("Position").'</td><td>';
-	print '<input class="flat" name="position" size="5" value="'.(isset($_POST["position"]) ? $_POST["position"] : $object->position).'">';
+	print '<input class="flat" name="position" size="5" value="'.(GETPOSTISSET("position") ? GETPOST("position", 'int') : $object->position).'">';
 	print '</td><td class="hideonsmartphone">&nbsp;</td></tr>';
 
 	print '</table>';
@@ -238,7 +238,7 @@ if ($id > 0 && !preg_match('/^add/i', $action))
 	}
 
 	print '</td><td>';
-	if ($action == 'edit') print '<input class="flat minwidth200" name="title" value="'.(isset($_POST["title"]) ?GETPOST("title", '', 2) : $object->title).'">';
+	if ($action == 'edit') print '<input class="flat minwidth300" name="title" value="'.(GETPOSTISSET("title") ? GETPOST("title", '', 2) : $object->title).'">';
 	else print $object->title;
 	print '</td></tr>';
 
@@ -251,7 +251,7 @@ if ($id > 0 && !preg_match('/^add/i', $action))
 		print '</span>';
 	}
 	print '</td><td>';
-	if ($action == 'edit') print '<input class="flat minwidth500" name="url" value="'.(isset($_POST["url"]) ? $_POST["url"] : $object->url).'">';
+	if ($action == 'edit') print '<input class="flat minwidth500 quatrevingtpercent" name="url" value="'.(GETPOSTISSET("url") ? GETPOST("url") : $object->url).'">';
 	else print '<a href="'.(preg_match('/^http/i', $object->url) ? $object->url : DOL_URL_ROOT.$object->url).'"'.($object->target ? ' target="_blank"' : '').'>'.$object->url.'</a>';
 	print '</td></tr>';
 
@@ -259,7 +259,7 @@ if ($id > 0 && !preg_match('/^add/i', $action))
 	if ($action == 'edit')
 	{
 		$liste = array(1=>$langs->trans("OpenANewWindow"), 0=>$langs->trans("ReplaceWindow"));
-		print $form->selectarray('target', $liste, isset($_POST["target"]) ? $_POST["target"] : $object->target);
+		print $form->selectarray('target', $liste, GETPOSTISSET("target") ? GETPOST("target") : $object->target);
 	} else {
 		if ($object->target == 0) print $langs->trans("ReplaceWindow");
 		if ($object->target == 1) print $langs->trans("OpenANewWindow");
@@ -269,7 +269,7 @@ if ($id > 0 && !preg_match('/^add/i', $action))
 	print '<tr><td>'.$langs->trans("Owner").'</td><td>';
 	if ($action == 'edit' && $user->admin)
 	{
-		print img_picto('', 'user').' '.$form->select_dolusers(isset($_POST['userid']) ? $_POST['userid'] : ($object->fk_user ? $object->fk_user : ''), 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth300');
+		print img_picto('', 'user').' '.$form->select_dolusers(GETPOSTISSET('userid') ? GETPOST('userid', 'int') : ($object->fk_user ? $object->fk_user : ''), 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth300');
 	} else {
 		if ($object->fk_user > 0)
 		{
@@ -284,7 +284,7 @@ if ($id > 0 && !preg_match('/^add/i', $action))
 
 	// Position
 	print '<tr><td>'.$langs->trans("Position").'</td><td>';
-	if ($action == 'edit') print '<input class="flat" name="position" size="5" value="'.(isset($_POST["position"]) ? $_POST["position"] : $object->position).'">';
+	if ($action == 'edit') print '<input class="flat" name="position" size="5" value="'.(GETPOSTISSET("position") ? GETPOST("position", 'int') : $object->position).'">';
 	else print $object->position;
 	print '</td></tr>';
 
diff --git a/htdocs/bookmarks/list.php b/htdocs/bookmarks/list.php
index 7f70d74f5d9..6ad2770aa25 100644
--- a/htdocs/bookmarks/list.php
+++ b/htdocs/bookmarks/list.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2005-2012 Laurent Destailleur       <eldy@users.sourceforge.net>
+/* Copyright (C) 2005-2020 Laurent Destailleur       <eldy@users.sourceforge.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -197,14 +197,14 @@ while ($i < min($num, $limit))
 	// Title
 	print "<td>";
 	$linkintern = 1;
-	if ($linkintern) print "<a href=\"".$obj->url."\">";
+	if ($linkintern) print '<a href="'.$obj->url.'">';
 	print $title;
 	if ($linkintern) print "</a>";
 	print "</td>\n";
 
 	// Url
 	print '<td class="tdoverflowmax200">';
-	if (!$linkintern) print '<a href="'.$obj->url.'"'.($obj->target ? ' target="newlink"' : '').'>';
+	if (!$linkintern) print '<a href="'.$obj->url.'"'.($obj->target ? ' target="newlink" rel="noopener"' : '').'>';
 	print $link;
 	if (!$linkintern) print '</a>';
 	print "</td>\n";
@@ -241,7 +241,7 @@ while ($i < min($num, $limit))
 	print '<td class="nowrap right">';
 	if ($user->rights->bookmark->creer)
 	{
-		print '<a class="editfielda" href="'.DOL_URL_ROOT."/bookmarks/card.php?action=edit&token='.newToken().'&id=".$obj->rowid."&backtopage=".urlencode($_SERVER["PHP_SELF"]).'">'.img_edit()."</a>";
+		print '<a class="editfielda" href="'.DOL_URL_ROOT.'/bookmarks/card.php?action=edit&token='.newToken().'&id='.$obj->rowid.'&backtopage='.urlencode($_SERVER["PHP_SELF"]).'">'.img_edit()."</a>";
 	}
 	if ($user->rights->bookmark->supprimer)
 	{

'.$langs->trans("BookmarkTitle").'		'.$langs->trans("SetHereATitleForLink").'
'.$langs->trans("BookmarkTitle").'		'.$langs->trans("SetHereATitleForLink").'
'.$langs->trans("Owner").'	'; - print img_picto('', 'user').' '.$form->select_dolusers(isset($_POST['userid']) ? $_POST['userid'] : $user->id, 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth300'); + print img_picto('', 'user').' '.$form->select_dolusers(GETPOSTISSET('userid') ? GETPOST('userid', 'int') : $user->id, 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0, '', 'maxwidth300'); print '
'.$langs->trans("Position").'	'; - print 'position).'">'; + print 'position).'">'; print '