diff --git a/MultisiteLanguageSwitcher.php b/MultisiteLanguageSwitcher.php
index c5668805..6652b030 100644
--- a/MultisiteLanguageSwitcher.php
+++ b/MultisiteLanguageSwitcher.php
@@ -76,6 +76,7 @@ function get_the_msls( $attr ): string {
 	 * @param string[] $arr
 	 */
 	function the_msls( array $arr = array() ): void {
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo get_the_msls( $arr );
 	}
 
diff --git a/includes/Component/Wrapper.php b/includes/Component/Wrapper.php
new file mode 100644
index 00000000..995a0f74
--- /dev/null
+++ b/includes/Component/Wrapper.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace lloc\Msls\Component;
+
+class Wrapper {
+
+	protected string $element;
+
+	protected string $content;
+
+	public function __construct( string $element, string $content ) {
+		$this->element = $element;
+		$this->content = $content;
+	}
+
+	public function render(): string {
+		return sprintf( '<%1$s>%2$s</%1$s>', esc_html( $this->element ), wp_kses_post( $this->content ) );
+	}
+}
diff --git a/includes/ContentImport/ContentImporter.php b/includes/ContentImport/ContentImporter.php
index 34875490..00d0a512 100644
--- a/includes/ContentImport/ContentImporter.php
+++ b/includes/ContentImport/ContentImporter.php
@@ -9,6 +9,7 @@
 use lloc\Msls\MslsMain;
 use lloc\Msls\MslsOptionsPost;
 use lloc\Msls\MslsRegistryInstance;
+use lloc\Msls\MslsRequest;
 
 /**
  * Class ContentImporter
@@ -166,11 +167,12 @@ protected function pre_flight_check( array $data = array() ) {
 	 * @return array|bool
 	 */
 	public function parse_sources() {
-		if ( ! isset( $_POST['msls_import'] ) ) {
+		if ( ! MslsRequest::has_var( 'msls_import' ) ) {
 			return false;
 		}
 
-		$import_data = array_filter( explode( '|', trim( $_POST['msls_import'] ) ), 'is_numeric' );
+		$msls_import = MslsRequest::get_var( 'msls_import' );
+		$import_data = array_filter( explode( '|', trim( $msls_import ) ), 'is_numeric' );
 
 		if ( count( $import_data ) !== 2 ) {
 			return false;
@@ -195,8 +197,9 @@ protected function get_the_blog_post_ID( $blog_id ) {
 			return $id;
 		}
 
-		if ( isset( $_REQUEST['post'] ) && filter_var( $_REQUEST['post'], FILTER_VALIDATE_INT ) ) {
-			return (int) $_REQUEST['post'];
+		$request = MslsRequest::get_request( array( 'post' ) );
+		if ( ! empty( $request['post'] ) ) {
+			return (int) $request['post'];
 		}
 
 		$data = array(
diff --git a/includes/ContentImport/Importers/WithRequestPostAttributes.php b/includes/ContentImport/Importers/WithRequestPostAttributes.php
index 39f97ffa..c0f34250 100644
--- a/includes/ContentImport/Importers/WithRequestPostAttributes.php
+++ b/includes/ContentImport/Importers/WithRequestPostAttributes.php
@@ -10,6 +10,8 @@
 
 namespace lloc\Msls\ContentImport\Importers;
 
+use lloc\Msls\MslsRequest;
+
 /**
  * Trait WithRequestPostAttributes
  *
@@ -24,14 +26,11 @@ trait WithRequestPostAttributes {
 	 * @param string $default The default post type to return if none is specified in the `$_REQUEST` super-global.
 	 *
 	 * @return string Either the post type read from the `$_REQUEST` super-global, or the default value.
-	 * @since TBD
-	 *
+\    *
 	 */
 	protected function read_post_type_from_request( $default = 'post' ) {
-		if ( ! isset( $_REQUEST['post_type'] ) ) {
-			return $default;
-		}
+		$request = MslsRequest::get_request( array( 'post_type' ), $default );
 
-		return filter_var( $_REQUEST['post_type'], FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ?: 'post';
+		return $request['post_type'];
 	}
 }
diff --git a/includes/ContentImport/LogWriters/AdminNoticeLogger.php b/includes/ContentImport/LogWriters/AdminNoticeLogger.php
index 15966ee8..f760770e 100644
--- a/includes/ContentImport/LogWriters/AdminNoticeLogger.php
+++ b/includes/ContentImport/LogWriters/AdminNoticeLogger.php
@@ -141,7 +141,7 @@ public function show_last_log( $echo = true ): ?string {
 		}
 
 		if ( $echo ) {
-			echo $html;
+			echo wp_kses_post( $html );
 		}
 
 		// we've shown it, no reason to keep it
diff --git a/includes/ContentImport/MetaBox.php b/includes/ContentImport/MetaBox.php
index 01791a19..10a25f08 100644
--- a/includes/ContentImport/MetaBox.php
+++ b/includes/ContentImport/MetaBox.php
@@ -2,7 +2,7 @@
 
 namespace lloc\Msls\ContentImport;
 
-use lloc\Msls\ContentImport\Importers\ImportersFactory;
+use lloc\Msls\Component\Wrapper;
 use lloc\Msls\ContentImport\Importers\Map;
 use lloc\Msls\MslsBlogCollection;
 use lloc\Msls\MslsFields;
@@ -43,26 +43,31 @@ function ( $lang ) use ( $mydata ) {
 
 			/* translators: %s: language name */
 			$label_template = __( 'Import content from %s', 'multisite-language-switcher' );
-			$output         = '<fieldset>';
-			$output        .= '<legend>'
-								. esc_html__(
-									'Warning! This will override and replace all the post content with the content from the source post!',
-									'multisite-language-switcher'
-								)
-								. '</legend>';
+
+			$warning = esc_html__(
+				'Warning! This will override and replace all the post content with the content from the source post!',
+				'multisite-language-switcher'
+			);
+
+			$legend = ( new Wrapper( 'legend', $warning ) )->render();
+
+			$output = '';
 			foreach ( $languages as $language => $label ) {
 				$id    = $mydata->{$language};
 				$blog  = $blogs->get_blog_id( $language );
 				$label = sprintf( $label_template, $label );
+
 				if ( null === $id && $has_input && $input_lang === $language ) {
 					$id   = $input_id;
 					$blog = $blogs->get_blog_id( $language );
 				}
+
 				if ( null !== $id ) {
 					$this->data = array(
 						'msls_import' => "{$blog}|{$id}",
 					);
-					$output    .= sprintf(
+
+					$output .= sprintf(
 						'<a class="button button-primary thickbox" href="%s" title="%s">%s</a>',
 						$this->inline_thickbox_url( $this->data ),
 						$label,
@@ -70,17 +75,18 @@ function ( $lang ) use ( $mydata ) {
 					);
 				}
 			}
-			$output .= '</fieldset>';
+
+			$output = ( new Wrapper( 'fieldset', $legend . $output ) )->render();
 		} else {
-			$output = '<p>' .
-						esc_html__(
-							'No translated versions linked to this post: import content functionality is disabled.',
-							'multisite-language-switcher'
-						)
-						. '</p>';
+			$warning = esc_html__(
+				'No translated versions linked to this post: import content functionality is disabled.',
+				'multisite-language-switcher'
+			);
+
+			$output = ( new Wrapper( 'p', $warning ) )->render();
 		}
 
-		echo $output;
+		echo wp_kses_post( $output );
 	}
 
 	protected function inline_thickbox_url( array $data = array() ): string {
@@ -100,6 +106,7 @@ protected function inline_thickbox_url( array $data = array() ): string {
 	}
 
 	public function print_modal_html(): void {
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo $this->inline_thickbox_html( true, $this->data );
 	}
 
@@ -112,145 +119,60 @@ protected function inline_thickbox_html( $echo = true, array $data = array() ):
 
 		ob_start();
 		?>
-		<div style="display: none;" id="msls-import-dialog-
-		<?php
-		echo esc_attr( $slug )
-		?>
-		">
-			<h3>
-			<?php
-				esc_html_e( 'Select what should be imported and how', 'multisite-language-switcher' )
-			?>
-			</h3>
-
-			<form action="
-			<?php
-			echo add_query_arg( array() )
-			?>
-			" method="post">
-
-				<?php
-				wp_nonce_field( MslsPlugin::path(), 'msls_noncename' );
-				?>
-
-				<?php
-				foreach ( $data as $key => $value ) :
-					?>
-					<input type="hidden" name="
-					<?php
-					echo esc_attr( $key )
-					?>
-					" value="
-					<?php
-					echo esc_attr( $value )
-					?>
-					">
-					<?php
-				endforeach;
-				?>
-
-				<?php
-				/** @var ImportersFactory $factory */
-				foreach ( Map::instance()->factories() as $slug => $factory ) :
-					?>
-					<?php
-					$details = $factory->details()
-					?>
-					<h4>
-					<?php
-						echo esc_html( $details->name )
-					?>
-					</h4>
-					<?php
-					if ( empty( $details->importers ) ) :
-						?>
+		<div style="display: none;" id="msls-import-dialog-<?php echo esc_attr( $slug ); ?>">
+			<h3><?php esc_html_e( 'Select what should be imported and how', 'multisite-language-switcher' ); ?></h3>
+			<form action="<?php echo esc_url( add_query_arg( array() ) ); ?>" method="post">
+				<?php wp_nonce_field( MslsPlugin::path(), 'msls_noncename' ); ?>
+				<?php foreach ( $data as $key => $value ) : ?>
+					<input type="hidden" name="<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $value ); ?>">
+				<?php endforeach; ?>
+				<?php foreach ( Map::instance()->factories() as $slug => $factory ) : ?>
+					<?php $details = $factory->details(); ?>
+					<h4><?php echo esc_html( $details->name ); ?></h4>
+					<?php if ( empty( $details->importers ) ) : ?>
 						<p>
 						<?php
 							esc_html_e(
 								'No importers available for this type of content.',
 								'multisite-language-switcher'
-							)
+							);
 						?>
-								</p>
-						<?php
-					else :
-						?>
-						<ul>
-							<li>
-								<label>
-									<input type="radio" name="msls_importers[
-									<?php
-									echo esc_attr( $details->slug )
-									?>
-									]">
-									<?php
-									esc_html_e(
-										'Off - Do not import this type of content in the destination post.',
-										'multisite-language-switcher'
-									)
-									?>
-								</label>
-							</li>
-							<?php
-							foreach ( $details->importers as $importer_slug => $importer_info ) :
-								?>
-								<li>
-									<label>
-										<input type="radio" name="msls_importers[
-										<?php
-										echo esc_attr( $details->slug )
-										?>
-										]"
-												value="
-												<?php
-												echo esc_attr( $importer_slug )
-												?>
-												"
-											<?php
-											checked( $details->selected, $importer_slug )
-											?>
-										>
-										<?php
-										echo( esc_html(
-											sprintf(
-												'%s -  %s',
-												$importer_info->name,
-												$importer_info->description
-											)
-										) )
-										?>
-									</label>
-								</li>
+						</p>
+					<?php else : ?>
+					<ul>
+						<li>
+							<label>
+								<input type="radio" name="msls_importers[<?php echo esc_attr( $details->slug ); ?>]">
 								<?php
-							endforeach;
-							?>
-						</ul>
-						<?php
-					endif;
-					?>
-					<?php
-				endforeach;
-				?>
-
+								esc_html_e(
+									'Off - Do not import this type of content in the destination post.',
+									'multisite-language-switcher'
+								);
+								?>
+							</label>
+						</li>
+						<?php foreach ( $details->importers as $importer_slug => $importer_info ) : ?>
+						<li>
+							<label>
+								<input type="radio" name="msls_importers[<?php echo esc_attr( $details->slug ); ?>]" value="<?php echo esc_attr( $importer_slug ); ?>" <?php checked( $details->selected, $importer_slug ); ?>>
+								<?php echo( esc_html( sprintf( '%s - %s', $importer_info->name, $importer_info->description ) ) ); ?>
+							</label>
+						</li>
+						<?php endforeach; ?>
+					</ul>
+					<?php endif; ?>
+				<?php endforeach; ?>
 				<div>
-					<input
-							type="submit"
-							class="button button-primary"
-							value="
-							<?php
-							esc_html_e( 'Import Content', 'multisite-language-switcher' )
-							?>
-							"
-					>
+					<input type="submit" class="button button-primary" value="<?php esc_html_e( 'Import Content', 'multisite-language-switcher' ); ?>">
 				</div>
 			</form>
 		</div>
-
 		<?php
+
 		$html = ob_get_clean();
 
 		if ( $echo ) {
-			echo $html;
+			echo wp_kses_post( $html );
 		}
 
 		return $html;
diff --git a/includes/MslsAdmin.php b/includes/MslsAdmin.php
index 826869c5..6bee6dae 100644
--- a/includes/MslsAdmin.php
+++ b/includes/MslsAdmin.php
@@ -109,13 +109,15 @@ public function __call( $method, $args ) {
 		);
 
 		if ( isset( $checkboxes[ $method ] ) ) {
-			echo ( new Group() )
+			$group = ( new Group() )
 				->add( new Checkbox( $method, $this->options->$method ) )
-				->add( new Label( $method, $checkboxes[ $method ] ) )
-				->render();
+				->add( new Label( $method, $checkboxes[ $method ] ) );
+
+			echo $group->render(); // phpcs:ignore WordPress.Security.EscapeOutput
 		} else {
-			$value = ! empty( $this->options->$method ) ? $this->options->$method : '';
-			echo ( new Text( $method, $value ) )->render();
+			$text = new Text( $method, ! empty( $this->options->$method ) ? $this->options->$method : '' );
+
+			echo $text->render(); // // phpcs:ignore WordPress.Security.EscapeOutput
 		}
 	}
 
@@ -155,9 +157,9 @@ public function has_problems(): bool {
 	public function render(): void {
 		printf(
 			'<div class="wrap"><div class="icon32" id="icon-options-general"><br/></div><h1>%s</h1>%s<br class="clear"/><form action="options.php" method="post"><p>%s</p>',
-			__( 'Multisite Language Switcher Options', 'multisite-language-switcher' ),
-			$this->subsubsub(),
-			__(
+			esc_html__( 'Multisite Language Switcher Options', 'multisite-language-switcher' ),
+			$this->subsubsub(), // phpcs:ignore WordPress.Security.EscapeOutput
+			esc_html__(
 				'To achieve maximum flexibility, you have to configure each blog separately.',
 				'multisite-language-switcher'
 			)
@@ -336,6 +338,7 @@ public function blog_language(): void {
 		$languages = $this->options->get_available_languages();
 		$selected  = get_locale();
 
+        // phpcs:ignore WordPress.Security.EscapeOutput
 		echo ( new Select( 'blog_language', $languages, $selected ) )->render();
 	}
 
@@ -343,6 +346,7 @@ public function blog_language(): void {
 	 * Shows the select-form-field 'display'
 	 */
 	public function display(): void {
+        // phpcs:ignore WordPress.Security.EscapeOutput
 		echo ( new Select( 'display', MslsLink::get_types_description(), strval( $this->options->display ) ) )->render();
 	}
 
@@ -350,14 +354,16 @@ public function display(): void {
 	 * Shows the select-form-field 'admin_display'
 	 */
 	public function admin_display(): void {
-		echo ( new Select(
+		$select = new Select(
 			'admin_display',
 			array(
 				MslsAdminIcon::TYPE_FLAG  => __( 'Flag', 'multisite-language-switcher' ),
 				MslsAdminIcon::TYPE_LABEL => __( 'Label', 'multisite-language-switcher' ),
 			),
 			$this->options->get_icon_type()
-		) )->render();
+		);
+
+		echo $select->render(); // phpcs:ignore WordPress.Security.EscapeOutput
 	}
 
 	/**
@@ -379,9 +385,10 @@ public function reference_user(): void {
 				'multisite-language-switcher'
 			);
 
-			trigger_error( sprintf( $format, self::MAX_REFERENCE_USERS ) );
+			trigger_error( sprintf( esc_html( $format ), esc_attr( self::MAX_REFERENCE_USERS ) ) );
 		}
 
+        // phpcs:ignore WordPress.Security.EscapeOutput
 		echo ( new Select( 'reference_user', $users, strval( $this->options->reference_user ) ) )->render();
 	}
 
@@ -391,6 +398,7 @@ public function reference_user(): void {
 	 * The language will be used ff there is no description.
 	 */
 	public function description(): void {
+        // phpcs:ignore WordPress.Security.EscapeOutput
 		echo ( new Text( 'description', $this->options->description, 40 ) )->render();
 	}
 
@@ -406,6 +414,7 @@ public function content_priority(): void {
 		$arr      = array_combine( $temp, $temp );
 		$selected = empty( $this->options->content_priority ) ? 10 : $this->options->content_priority;
 
+        // phpcs:ignore WordPress.Security.EscapeOutput
 		echo ( new Select( 'content_priority', $arr, strval( $selected ) ) )->render();
 	}
 
@@ -424,6 +433,7 @@ public function render_rewrite( $key ): void {
 			$value = $rewrite['slug'];
 		}
 
+        // phpcs:ignore WordPress.Security.EscapeOutput
 		echo ( new Text( "rewrite_{$key}", $value, 30, true ) )->render();
 	}
 
diff --git a/includes/MslsAdminIcon.php b/includes/MslsAdminIcon.php
index cc06766c..35828188 100644
--- a/includes/MslsAdminIcon.php
+++ b/includes/MslsAdminIcon.php
@@ -69,7 +69,8 @@ class MslsAdminIcon {
 	 * @param string $type
 	 */
 	public function __construct( ?string $type = null ) {
-		$this->type = esc_attr( $type );
+		$this->type = $type;
+
 		$this->set_path();
 	}
 
diff --git a/includes/MslsCustomFilter.php b/includes/MslsCustomFilter.php
index 2290c1b8..78aace28 100644
--- a/includes/MslsCustomFilter.php
+++ b/includes/MslsCustomFilter.php
@@ -53,6 +53,7 @@ public function add_filter(): void {
 
 			$id = MslsRequest::get( MslsFields::FIELD_MSLS_FILTER, 0 );
 
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo ( new Select( MslsFields::FIELD_MSLS_FILTER, $options, $id ) )->render();
 		}
 	}
diff --git a/includes/MslsFields.php b/includes/MslsFields.php
index 906600fb..c1f76850 100644
--- a/includes/MslsFields.php
+++ b/includes/MslsFields.php
@@ -13,6 +13,8 @@ class MslsFields {
 	const FIELD_MSLS_NONCENAME = 'msls_noncename';
 	const FIELD_MSLS_ID        = 'msls_id';
 	const FIELD_MSLS_LANG      = 'msls_lang';
+	const FIELD_MSLS_IMPORT    = 'msls_import';
+	const FIELD_POST           = 'post';
 
 	const CONFIG = array(
 		self::FIELD_BLOG_ID        => array(
@@ -51,5 +53,13 @@ class MslsFields {
 			INPUT_GET,
 			FILTER_SANITIZE_FULL_SPECIAL_CHARS,
 		),
+		self::FIELD_MSLS_IMPORT    => array(
+			INPUT_POST,
+			FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+		),
+		self::FIELD_POST           => array(
+			INPUT_GET,
+			FILTER_SANITIZE_NUMBER_INT,
+		),
 	);
 }
diff --git a/includes/MslsMetaBox.php b/includes/MslsMetaBox.php
index 43c6996f..df1a8a83 100644
--- a/includes/MslsMetaBox.php
+++ b/includes/MslsMetaBox.php
@@ -3,6 +3,7 @@
 namespace lloc\Msls;
 
 use lloc\Msls\Component\InputInterface;
+use lloc\Msls\Component\Wrapper;
 use lloc\Msls\ContentImport\MetaBox as ContentImportMetaBox;
 
 /**
@@ -62,6 +63,7 @@ public static function suggest(): void {
 			restore_current_blog();
 		}
 
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		wp_die( $json->encode() );
 	}
 
@@ -200,37 +202,38 @@ public function render_select(): void {
 					 */
 					$args = (array) apply_filters( 'msls_meta_box_render_select_hierarchical', $args );
 
-					$selects .= wp_dropdown_pages( $args );
+					$selects .= wp_dropdown_pages( $args ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				} else {
 					$selects .= sprintf(
-						'<select name="msls_input_%s"><option value="0"></option>%s</select>',
-						$language,
-						$this->render_options( $type, $mydata->$language )
+						'<select name="msls_input_%1$s"><option value="0"></option>%2$s</select>',
+						esc_attr( $language ),
+						$this->render_options( $type, $mydata->$language ) // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 					);
 				}
 
 				$lis .= sprintf(
-					'<li><label for="msls_input_%s msls-icon-wrapper %4$s">%s</label>%s</li>',
-					$language,
-					$icon,
-					$selects,
+					'<li><label for="msls_input_%1$s msls-icon-wrapper %4$s">%2$s</label>%3$s</li>',
+					esc_attr( $language ),
+					$icon, // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					$selects, // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 					esc_attr( $icon_type )
 				);
 
 				restore_current_blog();
 			}
 
-			printf( '<ul>%s</ul>', $lis );
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			echo ( new Wrapper( 'ul', $lis ) )->render();
 
 			$post = $temp;
 		} else {
-			printf(
-				'<p>%s</p>',
-				__(
-					'You should define at least another blog in a different language in order to have some benefit from this plugin!',
-					'multisite-language-switcher'
-				)
+			$message = esc_html__(
+				'You should define at least another blog in a different language in order to have some benefit from this plugin!',
+				'multisite-language-switcher'
 			);
+
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			echo ( new Wrapper( 'p', $message ) )->render();
 		}
 	}
 
@@ -267,11 +270,13 @@ public function render_options( $type, $msls_id ): string {
 	 * @return string
 	 */
 	public function render_option( int $post_id, int $msls_id ): string {
-		return sprintf(
-			'<option value="%d" %s>%s</option>',
-			$post_id,
-			selected( $post_id, $msls_id, false ),
-			get_the_title( $post_id )
+		return wp_kses_post(
+			sprintf(
+				'<option value="%d" %s>%s</option>',
+				esc_attr( $post_id ),
+				selected( $post_id, $msls_id, false ),
+				get_the_title( $post_id )
+			)
 		);
 	}
 
@@ -318,21 +323,23 @@ public function render_input(): void {
 				restore_current_blog();
 			}
 
-			printf(
-				'<ul>%s</ul><input type="hidden" name="msls_post_type" id="msls_post_type" value="%s"/><input type="hidden" name="msls_action" id="msls_action" value="suggest_posts"/>',
-				$items,
-				$post_type
+			echo wp_kses_post(
+				sprintf(
+					'<ul>%s</ul><input type="hidden" name="msls_post_type" id="msls_post_type" value="%s"/><input type="hidden" name="msls_action" id="msls_action" value="suggest_posts"/>',
+					$items,
+					$post_type
+				)
 			);
 
 			$post = $temp;
 		} else {
-			printf(
-				'<p>%s</p>',
-				__(
-					'You should define at least another blog in a different language in order to have some benefit from this plugin!',
-					'multisite-language-switcher'
-				)
+			$message = esc_html__(
+				'You should define at least another blog in a different language in order to have some benefit from this plugin!',
+				'multisite-language-switcher'
 			);
+
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			echo ( new Wrapper( 'p', $message ) )->render();
 		}
 	}
 
diff --git a/includes/MslsPlugin.php b/includes/MslsPlugin.php
index 31a09165..d401793f 100644
--- a/includes/MslsPlugin.php
+++ b/includes/MslsPlugin.php
@@ -102,7 +102,7 @@ function () {
 	}
 
 	public static function print_alternate_links(): void {
-		echo msls_output()->get_alternate_links(), PHP_EOL;
+		echo msls_output()->get_alternate_links(), PHP_EOL; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
 
 	/**
diff --git a/includes/MslsPostTag.php b/includes/MslsPostTag.php
index 7ee1aebc..af7a7d19 100644
--- a/includes/MslsPostTag.php
+++ b/includes/MslsPostTag.php
@@ -71,7 +71,7 @@ public static function suggest(): void {
 			restore_current_blog();
 		}
 
-		wp_die( $json->encode() );
+		wp_die( $json->encode() ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
 
 	public static function init(): void {
diff --git a/includes/MslsWidget.php b/includes/MslsWidget.php
index 5acdc6a2..ac85fbae 100644
--- a/includes/MslsWidget.php
+++ b/includes/MslsWidget.php
@@ -51,7 +51,7 @@ public function widget( $args, $instance ) {
 		/** This filter is documented in wp-includes/default-widgets.php */
 		$title = apply_filters( 'widget_title', $instance['title'] ?? '', $instance, $this->id_base );
 		if ( $title ) {
-			$title = $args['before_title'] . esc_attr( $title ) . $args['after_title'];
+			$title = $args['before_title'] . esc_html( $title ) . $args['after_title'];
 		}
 
 		$content = msls_output()->__toString();
@@ -60,7 +60,7 @@ public function widget( $args, $instance ) {
 			$content = apply_filters( 'msls_widget_alternative_content', $text );
 		}
 
-		echo $args['before_widget'], $title, $content, $args['after_widget'];
+		echo wp_kses_post( $args['before_widget'] . $title . $content . $args['after_widget'] );
 	}
 
 	/**
@@ -95,7 +95,7 @@ public function form( $instance ) {
 			( isset( $instance['title'] ) ? esc_attr( $instance['title'] ) : '' )
 		);
 
-		echo $form;
+		echo wp_kses_post( $form );
 
 		return $form;
 	}
diff --git a/tests/phpunit/MslsUnitTestCase.php b/tests/phpunit/MslsUnitTestCase.php
index ca135d4b..6e2ed13f 100644
--- a/tests/phpunit/MslsUnitTestCase.php
+++ b/tests/phpunit/MslsUnitTestCase.php
@@ -21,21 +21,21 @@ protected function setUp(): void {
 
 		\Mockery::namedMock( 'WooCommerce', \stdClass::class );
 
-		Functions\when( 'esc_html' )->returnArg();
+		Functions\when( '__' )->returnArg();
 		Functions\when( 'esc_attr' )->returnArg();
+		Functions\when( 'esc_html' )->returnArg();
+		Functions\when( 'esc_html__' )->returnArg();
 		Functions\when( 'esc_url' )->returnArg();
-		Functions\when( '__' )->returnArg();
 		Functions\when( 'wp_kses' )->returnArg();
 		Functions\when( 'wp_kses_post' )->returnArg();
 		Functions\when( 'sanitize_text_field' )->returnArg();
 	}
 
-
 	protected function tearDown(): void {
 		restore_error_handler();
 
-		Monkey\tearDown();
 		\Mockery::close();
+		Monkey\tearDown();
 
 		parent::tearDown();
 	}
diff --git a/tests/phpunit/TestMslsAdmin.php b/tests/phpunit/TestMslsAdmin.php
index 547b6e27..55147243 100644
--- a/tests/phpunit/TestMslsAdmin.php
+++ b/tests/phpunit/TestMslsAdmin.php
@@ -373,7 +373,6 @@ function test_main_section(): void {
 		$obj = $this->get_sut();
 
 		Functions\expect( 'add_settings_field' )->times( 12 )->andReturnFirstArg();
-		Functions\expect( 'esc_html__' )->times( 12 )->andReturnFirstArg();
 
 		$this->assertEquals( 12, $obj->main_section() );
 	}
@@ -382,7 +381,6 @@ function test_advanced_section(): void {
 		$obj = $this->get_sut();
 
 		Functions\expect( 'add_settings_field' )->times( 5 )->andReturnFirstArg();
-		Functions\expect( 'esc_html__' )->times( 5 )->andReturnFirstArg();
 
 		$this->assertEquals( 5, $obj->advanced_section() );
 	}
diff --git a/tests/phpunit/TestMslsLink.php b/tests/phpunit/TestMslsLink.php
index 99bbe959..984cae66 100644
--- a/tests/phpunit/TestMslsLink.php
+++ b/tests/phpunit/TestMslsLink.php
@@ -27,14 +27,10 @@ public function test_get_types(): void {
 	}
 
 	public function test_get_description(): void {
-		Functions\when( '__' )->returnArg();
-
 		$this->assertEquals( 'Flag and description', MslsLink::get_description() );
 	}
 
 	public function test_get_types_description(): void {
-		Functions\when( '__' )->returnArg();
-
 		$this->assertCount( 4, MslsLink::get_types_description() );
 	}
 
diff --git a/tests/phpunit/TestMslsLinkImageOnly.php b/tests/phpunit/TestMslsLinkImageOnly.php
index f32f69ec..154777da 100644
--- a/tests/phpunit/TestMslsLinkImageOnly.php
+++ b/tests/phpunit/TestMslsLinkImageOnly.php
@@ -8,8 +8,6 @@
 class TestMslsLinkImageOnly extends MslsUnitTestCase {
 
 	public function test_get_description_method(): void {
-		Functions\when( '__' )->returnArg();
-
 		$this->assertIsSTring( MslsLinkImageOnly::get_description() );
 	}
 }
diff --git a/tests/phpunit/TestMslsLinkTextImage.php b/tests/phpunit/TestMslsLinkTextImage.php
index 87cf961a..7719abf1 100644
--- a/tests/phpunit/TestMslsLinkTextImage.php
+++ b/tests/phpunit/TestMslsLinkTextImage.php
@@ -8,8 +8,6 @@
 class TestMslsLinkTextImage extends MslsUnitTestCase {
 
 	public function test_get_description_method(): void {
-		Functions\when( '__' )->returnArg();
-
 		$this->assertIsSTring( MslsLinkTextImage::get_description() );
 	}
 }
diff --git a/tests/phpunit/TestMslsLinkTextOnly.php b/tests/phpunit/TestMslsLinkTextOnly.php
index 8a010ef1..72757b11 100644
--- a/tests/phpunit/TestMslsLinkTextOnly.php
+++ b/tests/phpunit/TestMslsLinkTextOnly.php
@@ -8,8 +8,6 @@
 class TestMslsLinkTextOnly extends MslsUnitTestCase {
 
 	public function test_get_description_method(): void {
-		Functions\when( '__' )->returnArg();
-
 		$this->assertIsSTring( MslsLinkTextOnly::get_description() );
 	}
 }
diff --git a/tests/phpunit/TestMslsMetaBox.php b/tests/phpunit/TestMslsMetaBox.php
index 9b81955d..b14306e7 100644
--- a/tests/phpunit/TestMslsMetaBox.php
+++ b/tests/phpunit/TestMslsMetaBox.php
@@ -17,13 +17,9 @@
 class TestMslsMetaBox extends MslsUnitTestCase {
 
 	protected function setUp(): void {
-		Functions\when( 'plugin_dir_path' )->justReturn( dirname( __DIR__, 2 ) . '/' );
+		parent::setUp();
 
-		Functions\when( 'esc_attr' )->returnArg();
-		Functions\when( 'esc_html' )->returnArg();
-		Functions\when( 'esc_url' )->returnArg();
-		Functions\when( 'wp_kses' )->returnArg();
-		Functions\when( '__' )->returnArg();
+		Functions\when( 'plugin_dir_path' )->justReturn( dirname( __DIR__, 2 ) . '/' );
 
 		$blog = \Mockery::mock( MslsBlog::class );
 		$blog->shouldReceive( 'get_language' )->andReturn( 'de_DE' );
@@ -69,7 +65,6 @@ public function test_suggest(): void {
 		Functions\expect( 'filter_input' )->once()->with( INPUT_POST, MslsFields::FIELD_S, FILTER_SANITIZE_FULL_SPECIAL_CHARS )->andReturn( 17 );
 		Functions\expect( 'get_post_stati' )->once()->andReturn( array( 'pending', 'draft', 'future' ) );
 		Functions\expect( 'get_the_title' )->once()->andReturn( 'Test' );
-		Functions\expect( 'sanitize_text_field' )->times( 2 )->andReturnFirstArg();
 		Functions\expect( 'get_posts' )->once()->andReturn( array( $post ) );
 		Functions\expect( 'switch_to_blog' )->once();
 		Functions\expect( 'restore_current_blog' )->once();
diff --git a/tests/phpunit/TestMslsSqlCacher.php b/tests/phpunit/TestMslsSqlCacher.php
index 324a00cb..18f9bed9 100644
--- a/tests/phpunit/TestMslsSqlCacher.php
+++ b/tests/phpunit/TestMslsSqlCacher.php
@@ -8,6 +8,8 @@
 class TestMslsSqlCacher extends MslsUnitTestCase {
 
 	protected function setUp(): void {
+		parent::setUp();
+
 		$wpdb = \Mockery::mock( \WPDB::class );
 
 		$wpdb->shouldReceive( 'prepare' )->andReturn( '' );
@@ -19,8 +21,6 @@ protected function setUp(): void {
 	public function test_create(): void {
 		global $wpdb;
 
-		Functions\expect( 'esc_attr' )->atLeast()->once()->andReturnFirstArg();
-
 		$wpdb = \Mockery::mock( \WPDB::class );
 
 		$this->assertInstanceOf( MslsSqlCacher::class, MslsSqlCacher::create( 'MslsSqlCacherTest', '' ) );
diff --git a/tests/phpunit/WP_Widget.php b/tests/phpunit/WP_Widget.php
index 142a0a06..61892f47 100644
--- a/tests/phpunit/WP_Widget.php
+++ b/tests/phpunit/WP_Widget.php
@@ -30,7 +30,7 @@ public function __construct( $id_base, $name, $widget_options = array(), $contro
 	 * @return string ID attribute for `$field_name`.
 	 */
 	public function get_field_id( string $field_name ) {
-		return sprintf( 'field-id-%s', esc_attr( $field_name ) );
+		return sprintf( 'field-id-%s', $field_name );
 	}
 
 	/**
@@ -39,6 +39,6 @@ public function get_field_id( string $field_name ) {
 	 * @return string Name attribute for `$field_name`.
 	 */
 	public function get_field_name( $field_name ) {
-		return sprintf( 'field-name-%s', esc_attr( $field_name ) );
+		return sprintf( 'field-name-%s', $field_name );
 	}
 }