diff --git a/assets/js/sidebars/helpers.js b/assets/js/sidebars/helpers.js
index dca9c20f0..ee02af0c6 100644
--- a/assets/js/sidebars/helpers.js
+++ b/assets/js/sidebars/helpers.js
@@ -14,6 +14,7 @@ export function request(action, name) {
 	return new Promise((resolve, reject) => {
 		const request = $.post(window.ajaxurl, {
 			action: `carbon_fields_${action}_sidebar`,
+			nonce: carbonFieldsSecurity[`${action}SidebarNonce`],
 			name: name
 		}, null, 'json');
 
diff --git a/core/Container/Condition/Comparer/Any_Contain_Comparer.php b/core/Container/Condition/Comparer/Any_Contain_Comparer.php
index 59b6a3744..511c50c45 100644
--- a/core/Container/Condition/Comparer/Any_Contain_Comparer.php
+++ b/core/Container/Condition/Comparer/Any_Contain_Comparer.php
@@ -23,7 +23,9 @@ class Any_Contain_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_array( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not an array: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
diff --git a/core/Container/Condition/Comparer/Any_Equality_Comparer.php b/core/Container/Condition/Comparer/Any_Equality_Comparer.php
index ff84a2e17..fc379d7ca 100644
--- a/core/Container/Condition/Comparer/Any_Equality_Comparer.php
+++ b/core/Container/Condition/Comparer/Any_Equality_Comparer.php
@@ -22,9 +22,9 @@ class Any_Equality_Comparer extends Comparer {
 	public function is_correct( $a, $comparison_operator, $b ) {
 		switch ( $comparison_operator ) {
 			case '=':
-				return in_array( $b, $a );
+				return in_array( $b, $a, true );
 			case '!=':
-				return ! in_array( $b, $a );
+				return ! in_array( $b, $a, true );
 		}
 		return false;
 	}
diff --git a/core/Container/Condition/Comparer/Comparer.php b/core/Container/Condition/Comparer/Comparer.php
index 649c684db..94dc4ab46 100644
--- a/core/Container/Condition/Comparer/Comparer.php
+++ b/core/Container/Condition/Comparer/Comparer.php
@@ -18,7 +18,7 @@ abstract class Comparer {
 	 * @return bool
 	 */
 	public function supports_comparison_operator( $comparison_operator ) {
-		return in_array( $comparison_operator, $this->supported_comparison_operators );
+		return in_array( $comparison_operator, $this->supported_comparison_operators, true );
 	}
 
 	/**
diff --git a/core/Container/Condition/Comparer/Contain_Comparer.php b/core/Container/Condition/Comparer/Contain_Comparer.php
index deacb073a..c58dbd921 100644
--- a/core/Container/Condition/Comparer/Contain_Comparer.php
+++ b/core/Container/Condition/Comparer/Contain_Comparer.php
@@ -23,15 +23,17 @@ class Contain_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_array( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not an array: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
 		switch ( $comparison_operator ) {
 			case 'IN':
-				return in_array( $a, $b );
+				return in_array( $a, $b, true );
 			case 'NOT IN':
-				return ! in_array( $a, $b );
+				return ! in_array( $a, $b, true );
 		}
 		return false;
 	}
diff --git a/core/Container/Condition/Comparer/Custom_Comparer.php b/core/Container/Condition/Comparer/Custom_Comparer.php
index 279944380..da0bea268 100644
--- a/core/Container/Condition/Comparer/Custom_Comparer.php
+++ b/core/Container/Condition/Comparer/Custom_Comparer.php
@@ -23,7 +23,9 @@ class Custom_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_callable( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not a callable: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
diff --git a/core/Container/Condition/Comparer/Scalar_Comparer.php b/core/Container/Condition/Comparer/Scalar_Comparer.php
index 205fc3bad..7d7947b06 100644
--- a/core/Container/Condition/Comparer/Scalar_Comparer.php
+++ b/core/Container/Condition/Comparer/Scalar_Comparer.php
@@ -23,12 +23,16 @@ class Scalar_Comparer extends Comparer {
 	 */
 	public function is_correct( $a, $comparison_operator, $b ) {
 		if ( ! is_scalar( $a ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Environment value for comparison is not scalar: ' . print_r( $a, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
 		if ( ! is_scalar( $b ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Supplied comparison value is not scalar: ' . print_r( $b, true ) );
+			// @codingStandardsIgnoreEnd
 			return false;
 		}
 
diff --git a/core/Container/Condition/Term_Condition.php b/core/Container/Condition/Term_Condition.php
index 334ce6ea4..06856ff73 100644
--- a/core/Container/Condition/Term_Condition.php
+++ b/core/Container/Condition/Term_Condition.php
@@ -100,11 +100,11 @@ public function is_fulfilled( $environment ) {
 				break;
 			case 'IN':
 				$value_term_ids = $this->get_term_ids_from_full_term_descriptors( $this->get_value() );
-				return in_array( $term_id, $value_term_ids );
+				return in_array( $term_id, $value_term_ids, true );
 				break;
 			case 'NOT IN':
 				$value_term_ids = $this->get_term_ids_from_full_term_descriptors( $this->get_value() );
-				return ! in_array( $term_id, $value_term_ids );
+				return ! in_array( $term_id, $value_term_ids, true );
 				break;
 		}
 
diff --git a/core/Container/Container.php b/core/Container/Container.php
index b9c688cb2..d08707248 100644
--- a/core/Container/Container.php
+++ b/core/Container/Container.php
@@ -565,7 +565,7 @@ public function get_field_by_name( $field_name ) {
 	 * @return boolean
 	 */
 	protected function register_field_name( $name ) {
-		if ( in_array( $name, $this->registered_field_names ) ) {
+		if ( in_array( $name, $this->registered_field_names, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Field name "' . $name . '" already registered' );
 			return false;
 		}
@@ -692,7 +692,7 @@ protected function get_untabbed_fields() {
 		}
 
 		$untabbed_fields = array_filter( $this->fields, function( $field ) use ( $tabbed_fields_names ) {
-			return ! in_array( $field->get_name(), $tabbed_fields_names );
+			return ! in_array( $field->get_name(), $tabbed_fields_names, true );
 		} );
 
 		return $untabbed_fields;
diff --git a/core/Container/Fulfillable/Fulfillable_Collection.php b/core/Container/Fulfillable/Fulfillable_Collection.php
index 68cdf5978..a18296fc5 100644
--- a/core/Container/Fulfillable/Fulfillable_Collection.php
+++ b/core/Container/Fulfillable/Fulfillable_Collection.php
@@ -119,7 +119,7 @@ public function is_condition_type_list_whitelist() {
 	 * @return bool
 	 */
 	public function is_condition_type_allowed( $condition_type ) {
-		$in_list = in_array( $condition_type, $this->get_condition_type_list() );
+		$in_list = in_array( $condition_type, $this->get_condition_type_list(), true );
 		if ( $this->is_condition_type_list_whitelist() ) {
 			return $in_list;
 		}
@@ -224,7 +224,7 @@ protected function where_collection( $collection_callable, $fulfillable_comparis
 	 * @param string      $fulfillable_comparison See static::$supported_fulfillable_comparisons
 	 */
 	public function add_fulfillable( Fulfillable $fulfillable, $fulfillable_comparison ) {
-		if ( ! in_array( $fulfillable_comparison, $this->supported_fulfillable_comparisons ) ) {
+		if ( ! in_array( $fulfillable_comparison, $this->supported_fulfillable_comparisons, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid fulfillable comparison passed: ' . $fulfillable_comparison );
 			return;
 		}
@@ -277,7 +277,7 @@ public function filter( $condition_whitelist ) {
 				$collection->add_fulfillable( $filtered_collection, $fulfillable_comparison );
 			} else {
 				$type = $this->condition_factory->get_type( get_class( $fulfillable ) );
-				if ( ! in_array( $type, $condition_whitelist ) ) {
+				if ( ! in_array( $type, $condition_whitelist, true ) ) {
 					continue;
 				}
 
@@ -315,12 +315,12 @@ public function evaluate( $condition_types, $environment, $comparison_operators
 				$type = $this->condition_factory->get_type( get_class( $fulfillable ) );
 				$comparison_operator = $fulfillable->get_comparison_operator();
 
-				$condition_type_match = in_array( $type, $condition_types );
+				$condition_type_match = in_array( $type, $condition_types, true );
 				if ( $condition_types_blacklist ) {
 					$condition_type_match = ! $condition_type_match;
 				}
 
-				$comparison_operator_match = in_array( $comparison_operator, $comparison_operators );
+				$comparison_operator_match = in_array( $comparison_operator, $comparison_operators, true );
 				if ( $comparison_operators_blacklist ) {
 					$comparison_operator_match = ! $comparison_operator_match;
 				}
@@ -362,13 +362,13 @@ public function is_fulfilled( $environment ) {
 
 			// minor optimization - avoid unnecessary AND check if $fulfilled is currently false
 			// false && whatever is always false
-			if ( $fulfillable_comparison == 'AND' && $fulfilled ) {
+			if ( $fulfillable_comparison === 'AND' && $fulfilled ) {
 				$fulfilled = $fulfillable->is_fulfilled( $environment );
 			}
 
 			// minor optimization - avoid unnecessary OR check if $fulfilled is currently true
 			// true || whatever is always true
-			if ( $fulfillable_comparison == 'OR' && ! $fulfilled ) {
+			if ( $fulfillable_comparison === 'OR' && ! $fulfilled ) {
 				$fulfilled = $fulfillable->is_fulfilled( $environment );
 			}
 		}
diff --git a/core/Container/Fulfillable/Translator/Array_Translator.php b/core/Container/Fulfillable/Translator/Array_Translator.php
index 586c5dec2..4b2345c87 100644
--- a/core/Container/Fulfillable/Translator/Array_Translator.php
+++ b/core/Container/Fulfillable/Translator/Array_Translator.php
@@ -82,7 +82,9 @@ protected function fulfillable_collection_to_foreign( Fulfillable_Collection $fu
 	 */
 	public function foreign_to_fulfillable( $foreign ) {
 		if ( ! is_array( $foreign ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Invalid data passed to array condition translator: ' . print_r( $foreign, true ) );
+			// @codingStandardsIgnoreEnd
 			return null;
 		}
 
diff --git a/core/Container/Fulfillable/Translator/Translator.php b/core/Container/Fulfillable/Translator/Translator.php
index 560c28088..2c5222f77 100644
--- a/core/Container/Fulfillable/Translator/Translator.php
+++ b/core/Container/Fulfillable/Translator/Translator.php
@@ -24,7 +24,9 @@ public function fulfillable_to_foreign( Fulfillable $fulfillable ) {
 			return $this->fulfillable_collection_to_foreign( $fulfillable );
 		}
 
+		// @codingStandardsIgnoreStart
 		Incorrect_Syntax_Exception::raise( 'Attempted to translate an unsupported object: ' . print_r( $fulfillable, true ) );
+		// @codingStandardsIgnoreEnd
 		return null;
 	}
 
diff --git a/core/Container/Repository.php b/core/Container/Repository.php
index 002b2f036..5a62a327c 100644
--- a/core/Container/Repository.php
+++ b/core/Container/Repository.php
@@ -170,7 +170,7 @@ public function get_active_containers() {
 	 * @param string $id
 	 */
 	public function is_unique_container_id( $id ) {
-		return ! in_array( $id, $this->registered_container_ids );
+		return ! in_array( $id, $this->registered_container_ids, true );
 	}
 
 	/**
diff --git a/core/Container/Theme_Options_Container.php b/core/Container/Theme_Options_Container.php
index 355864ea9..18e427863 100644
--- a/core/Container/Theme_Options_Container.php
+++ b/core/Container/Theme_Options_Container.php
@@ -235,7 +235,7 @@ protected function register_page() {
 			static::$registered_pages[ $parent ] = array();
 		}
 
-		if ( in_array( $file, static::$registered_pages[ $parent ] ) ) {
+		if ( in_array( $file, static::$registered_pages[ $parent ], true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Page "' . $file . '" with parent "' . $parent . '" is already registered. Please set a name for the container.' );
 			return false;
 		}
diff --git a/core/Container/Widget_Container.php b/core/Container/Widget_Container.php
index 3f3e810bd..43d111d3e 100644
--- a/core/Container/Widget_Container.php
+++ b/core/Container/Widget_Container.php
@@ -48,7 +48,7 @@ public function is_valid_attach_for_request() {
 		$request_action = isset( $input['action'] ) ? $input['action'] : '';
 		$is_widget_save = ( $request_action === 'save-widget' );
 
-		if ( ( ! $screen || ! in_array( $screen->id, array( 'widgets', 'customize' ) ) ) && ! $is_widget_save ) {
+		if ( ( ! $screen || ! in_array( $screen->id, array( 'widgets', 'customize' ), true ) ) && ! $is_widget_save ) {
 			return false;
 		}
 
diff --git a/core/Datastore/Meta_Datastore.php b/core/Datastore/Meta_Datastore.php
index c0f4299f4..0f70163e3 100644
--- a/core/Datastore/Meta_Datastore.php
+++ b/core/Datastore/Meta_Datastore.php
@@ -26,6 +26,7 @@ protected function get_storage_array( Field $field, $storage_key_patterns ) {
 
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`meta_key`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$storage_array = $wpdb->get_results( '
 			SELECT `meta_key` AS `key`, `meta_value` AS `value`
 			FROM ' . $this->get_table_name() . '
@@ -33,6 +34,7 @@ protected function get_storage_array( Field $field, $storage_key_patterns ) {
 				AND ' . $storage_key_comparisons . '
 			ORDER BY `meta_key` ASC
 		' );
+		// @codingStandardsIgnoreEnd
 
 		$storage_array = apply_filters( 'carbon_fields_datastore_storage_array', $storage_array, $this, $storage_key_patterns );
 
@@ -69,12 +71,14 @@ public function delete( Field $field ) {
 		);
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`meta_key`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$meta_keys = $wpdb->get_col( '
 			SELECT `meta_key`
 			FROM `' . $this->get_table_name() . '`
 			WHERE `' . $this->get_table_field_name() . '` = ' . intval( $this->get_object_id() ) . '
 				AND ' . $storage_key_comparisons . '
 		' );
+		// @codingStandardsIgnoreEnd
 
 		foreach ( $meta_keys as $meta_key ) {
 			delete_metadata( $this->get_meta_type(), $this->get_object_id(), $meta_key );
diff --git a/core/Datastore/Term_Meta_Datastore.php b/core/Datastore/Term_Meta_Datastore.php
index c1420a232..64ba18a6b 100644
--- a/core/Datastore/Term_Meta_Datastore.php
+++ b/core/Datastore/Term_Meta_Datastore.php
@@ -49,6 +49,7 @@ public static function create_table() {
 			$charset_collate .= ' COLLATE ' . $wpdb->collate;
 		}
 
+		// @codingStandardsIgnoreStart sanitized above.
 		$wpdb->query( 'CREATE TABLE ' . $wpdb->prefix . 'termmeta (
 			meta_id bigint(20) unsigned NOT NULL auto_increment,
 			term_id bigint(20) unsigned NOT NULL default "0",
@@ -58,6 +59,7 @@ public static function create_table() {
 			KEY term_id (term_id),
 			KEY meta_key (meta_key)
 		) ' . $charset_collate . ';' );
+		// @codingStandardsIgnoreEnd
 	}
 
 	/**
diff --git a/core/Datastore/Theme_Options_Datastore.php b/core/Datastore/Theme_Options_Datastore.php
index 087abc5aa..d0ac0be33 100644
--- a/core/Datastore/Theme_Options_Datastore.php
+++ b/core/Datastore/Theme_Options_Datastore.php
@@ -26,12 +26,14 @@ protected function get_storage_array( Field $field, $storage_key_patterns ) {
 
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`option_name`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$storage_array = $wpdb->get_results( '
 			SELECT `option_name` AS `key`, `option_value` AS `value`
 			FROM ' . $wpdb->options . '
 			WHERE ' . $storage_key_comparisons . '
 			ORDER BY `option_name` ASC
 		' );
+		// @codingStandardsIgnoreEnd
 
 		$storage_array = apply_filters( 'carbon_fields_datastore_storage_array', $storage_array, $this, $storage_key_patterns );
 
@@ -114,11 +116,13 @@ public function delete( Field $field ) {
 		);
 		$storage_key_comparisons = $this->key_toolset->storage_key_patterns_to_sql( '`option_name`', $storage_key_patterns );
 
+		// @codingStandardsIgnoreStart sanitized in `storage_key_patterns_to_sql`
 		$option_names = $wpdb->get_col( '
 			SELECT `option_name`
 			FROM `' . $wpdb->options . '`
 			WHERE ' . $storage_key_comparisons . '
 		' );
+		// @codingStandardsIgnoreEnd
 
 		foreach ( $option_names as $option_name ) {
 			delete_option( $option_name );
diff --git a/core/Field/Association_Field.php b/core/Field/Association_Field.php
index df3f4f43b..7416d218a 100644
--- a/core/Field/Association_Field.php
+++ b/core/Field/Association_Field.php
@@ -279,7 +279,7 @@ protected function get_post_options( $type ) {
 				'type' => $type['type'],
 				'subtype' => $type['post_type'],
 				'label' => $this->get_item_label( $p, $type['type'], $type['post_type'] ),
-				'is_trashed' => ( get_post_status( $p ) == 'trash' ),
+				'is_trashed' => ( get_post_status( $p ) === 'trash' ),
 				'edit_link' => $this->get_object_edit_link( $type, $p ),
 			);
 		}
@@ -550,7 +550,7 @@ protected function value_to_json() {
 				'id' => intval( $entry['id'] ),
 				'title' => $this->get_title_by_type( $entry['id'], $entry['type'], $entry['subtype'] ),
 				'label' => $this->get_item_label( $entry['id'], $entry['type'], $entry['subtype'] ),
-				'is_trashed' => ( $entry['type'] == 'post' && get_post_status( $entry['id'] ) === 'trash' ),
+				'is_trashed' => ( $entry['type'] === 'post' && get_post_status( $entry['id'] ) === 'trash' ),
 			);
 			$value[] = $item;
 		}
diff --git a/core/Field/Complex_Field.php b/core/Field/Complex_Field.php
index 2ee8ff86e..aea72fc98 100644
--- a/core/Field/Complex_Field.php
+++ b/core/Field/Complex_Field.php
@@ -230,7 +230,7 @@ public function add_fields() {
 
 		$reserved_names = array( Value_Set::VALUE_PROPERTY, static::TYPE_PROPERTY );
 		foreach ( $fields as $field ) {
-			if ( in_array( $field->get_base_name(), $reserved_names ) ) {
+			if ( in_array( $field->get_base_name(), $reserved_names, true ) ) {
 				Incorrect_Syntax_Exception::raise( '"' . $field->get_base_name() . '" is a reserved keyword for Complex fields and cannot be used for a field name.' );
 				return $this;
 			}
@@ -266,7 +266,7 @@ public function get_group_by_name( $group_name ) {
 		$group_object = null;
 
 		foreach ( $this->groups as $group ) {
-			if ( $group->get_name() == $group_name ) {
+			if ( $group->get_name() === $group_name ) {
 				$group_object = $group;
 			}
 		}
@@ -601,7 +601,7 @@ public function set_layout( $layout ) {
 			static::LAYOUT_TABBED_VERTICAL,
 		);
 
-		if ( ! in_array( $layout,  $available_layouts ) ) {
+		if ( ! in_array( $layout,  $available_layouts, true ) ) {
 			$error_message = 'Incorrect layout ``' . $layout . '" specified. ' .
 				'Available layouts: ' . implode( ', ', $available_layouts );
 
diff --git a/core/Field/Field.php b/core/Field/Field.php
index a76af8f7c..e5a3c413f 100644
--- a/core/Field/Field.php
+++ b/core/Field/Field.php
@@ -315,7 +315,7 @@ public function activate() {
 	 * @param string $class_name
 	 */
 	public static function activate_field_type( $class_name ) {
-		if ( in_array( $class_name, static::$activated_field_types ) ) {
+		if ( in_array( $class_name, static::$activated_field_types, true ) ) {
 			return;
 		}
 
@@ -380,7 +380,7 @@ public function is_simple_root_field() {
 		return (
 			empty( $hierarchy )
 			&&
-			in_array( $this->get_value_set()->get_type(), array( Value_Set::TYPE_SINGLE_VALUE, Value_Set::TYPE_MULTIPLE_PROPERTIES ) )
+			in_array( $this->get_value_set()->get_type(), array( Value_Set::TYPE_SINGLE_VALUE, Value_Set::TYPE_MULTIPLE_PROPERTIES ), true )
 		);
 	}
 
@@ -749,7 +749,7 @@ public function set_attribute( $name, $value = '' ) {
 			$name = preg_replace( '/^\-+|\-+$/', '', $name );
 		}
 
-		if ( ! $is_data_attribute && ! in_array( $name, $this->allowed_attributes ) ) {
+		if ( ! $is_data_attribute && ! in_array( $name, $this->allowed_attributes, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Only the following attributes are allowed: ' . implode( ', ', array_merge( $this->allowed_attributes, array( 'data-*' ) ) ) );
 			return $this;
 		}
@@ -968,13 +968,13 @@ protected function parse_conditional_rule( $rule ) {
 			'value' => '',
 		), $rule );
 
-		if ( ! in_array( $rule['compare'], $allowed_operators ) ) {
+		if ( ! in_array( $rule['compare'], $allowed_operators, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid conditional logic compare operator: <code>' . $rule['compare'] . '</code><br>Allowed operators are: <code>' .
 			implode( ', ', $allowed_operators ) . '</code>' );
 			return null;
 		}
 
-		if ( in_array( $rule['compare'], $array_operators ) && ! is_array( $rule['value'] ) ) {
+		if ( in_array( $rule['compare'], $array_operators, true ) && ! is_array( $rule['value'] ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid conditional logic value format. An array is expected, when using the "' . $rule['compare'] . '" operator.' );
 			return null;
 		}
diff --git a/core/Field/Group_Field.php b/core/Field/Group_Field.php
index daca46c33..3a588b057 100644
--- a/core/Field/Group_Field.php
+++ b/core/Field/Group_Field.php
@@ -196,7 +196,7 @@ public function get_label_template() {
 	 * Print the label template.
 	 */
 	public function template_label() {
-		echo $this->label_template;
+		echo $this->label_template; // XSS ok.
 	}
 
 	/**
@@ -250,7 +250,7 @@ public function set_datastore( Datastore_Interface $datastore, $set_as_default =
 	 * @return boolean
 	 */
 	public function register_field_name( $name ) {
-		if ( in_array( $name, $this->registered_field_names ) ) {
+		if ( in_array( $name, $this->registered_field_names, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Field name "' . $name . '" already registered' );
 			return false;
 		}
diff --git a/core/Field/Rich_Text_Field.php b/core/Field/Rich_Text_Field.php
index df82cdeed..bfbd9e60e 100644
--- a/core/Field/Rich_Text_Field.php
+++ b/core/Field/Rich_Text_Field.php
@@ -54,7 +54,7 @@ public function upload_image_button_html() {
 		$upload_image_button = '<a href="#" class="button insert-media add_media" data-editor="<%- id %>" title="Add Media">
 			<span class="wp-media-buttons-icon"></span> Add Media
 		</a>';
-		echo apply_filters( 'crb_upload_image_button_html', $upload_image_button, $this->base_name );
+		echo apply_filters( 'crb_upload_image_button_html', $upload_image_button, $this->base_name ); // XSS ok.
 	}
 
 	/**
diff --git a/core/Field/Scripts_Field.php b/core/Field/Scripts_Field.php
index 0e9da3c93..40ee96170 100644
--- a/core/Field/Scripts_Field.php
+++ b/core/Field/Scripts_Field.php
@@ -52,7 +52,7 @@ public function print_scripts() {
 		}
 
 		$this->load();
-		echo $this->get_formatted_value();
+		echo $this->get_formatted_value(); // XSS ok.
 	}
 
 	/**
diff --git a/core/Field/Sidebar_Field.php b/core/Field/Sidebar_Field.php
index f2d14c932..b4e4672bd 100644
--- a/core/Field/Sidebar_Field.php
+++ b/core/Field/Sidebar_Field.php
@@ -28,7 +28,7 @@ protected function load_options() {
 		$options = array();
 
 		foreach ( $sidebars as $sidebar ) {
-			if ( in_array( $sidebar['id'], $this->excluded_sidebars ) ) {
+			if ( in_array( $sidebar['id'], $this->excluded_sidebars, true ) ) {
 				continue;
 			}
 
diff --git a/core/Helper/Helper.php b/core/Helper/Helper.php
index 188400dfe..ef3c4e852 100644
--- a/core/Helper/Helper.php
+++ b/core/Helper/Helper.php
@@ -369,7 +369,7 @@ public static function get_relation_type_from_array( $array, $allowed_relations
 			$relation = strtoupper( $array[ $relation_key ] );
 		}
 
-		if ( ! in_array( $relation, $allowed_relations ) ) {
+		if ( ! in_array( $relation, $allowed_relations, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Invalid relation type ' . $relation . '. ' .
 			'The rule should be one of the following: "' . implode( '", "', $allowed_relations ) . '"' );
 		}
@@ -520,7 +520,7 @@ public static function get_attachment_id( $url ) {
 				$original_file = basename( $meta['file'] );
 				$cropped_image_files = wp_list_pluck( $meta['sizes'], 'file' );
 
-				if ( $original_file === $filename || in_array( $filename, $cropped_image_files ) ) {
+				if ( $original_file === $filename || in_array( $filename, $cropped_image_files, true ) ) {
 					return intval( $post_id );
 				}
 			}
@@ -600,10 +600,10 @@ public static function get_attachment_metadata( $id, $type ) {
 
 		$attachment_meta['default_thumb_url'] = wp_mime_type_icon( $id );
 
-		if ( $attachment_meta['file_type'] == 'image' ) {
+		if ( $attachment_meta['file_type'] === 'image' ) {
 			$attachment_meta['thumb_url'] = $attachment_meta['file_url'];
 
-			if ( $type == 'id' ) {
+			if ( $type === 'id' ) {
 				$thumb_src = wp_get_attachment_image_src( $id, 'thumbnail' );
 				$attachment_meta['thumb_url'] = $thumb_src[0];
 			}
@@ -625,7 +625,7 @@ public static function get_attachment_metadata( $id, $type ) {
 	 * @return array
 	 */
 	public static function input() {
-		$input = ( isset( $_SERVER['REQUEST_METHOD'] ) && $_SERVER['REQUEST_METHOD'] === 'POST' ) ? $_POST : $_GET;
+		$input = ( isset( $_SERVER['REQUEST_METHOD'] ) && $_SERVER['REQUEST_METHOD'] === 'POST' ) ? $_POST : $_GET; // CSRF ok. Nonce verfied elsewhere.
 		$input = stripslashes_deep( $input );
 
 		if ( \Carbon_Fields\COMPACT_INPUT ) {
diff --git a/core/Libraries/Sidebar_Manager/Sidebar_Manager.php b/core/Libraries/Sidebar_Manager/Sidebar_Manager.php
index 3d8357b58..3ebff5378 100644
--- a/core/Libraries/Sidebar_Manager/Sidebar_Manager.php
+++ b/core/Libraries/Sidebar_Manager/Sidebar_Manager.php
@@ -38,10 +38,15 @@ public function action_handler() {
 			'data' => null,
 		);
 
-		$input = stripslashes_deep( $_POST );
+		$input = stripslashes_deep( $_POST ); // CSRF ok. verfied below.
 		$action = isset( $input['action'] ) ? $input['action'] : '';
+		$nonce = isset( $input['nonce'] ) ? $input['nonce'] : '';
 
-		$result = $this->execute_action( $action, $input );
+		if ( ! wp_verify_nonce( $nonce, $action ) ) {
+			$result = new \WP_Error( 'update-failed', __( 'Failed to update option storing your custom sidebars. Please contact support.', 'carbon-fields' ) );		
+		} else {
+			$result = $this->execute_action( $action, $input );
+		}
 
 		if ( is_wp_error( $result ) ) {
 			$response['success'] = false;
diff --git a/core/Loader/Loader.php b/core/Loader/Loader.php
index a192e09f5..f048ed01c 100644
--- a/core/Loader/Loader.php
+++ b/core/Loader/Loader.php
@@ -85,7 +85,7 @@ public function trigger_fields_register() {
 			foreach ( $e->getTrace() as $trace ) {
 				$callback .= '<br/>' . ( isset( $trace['file'] ) ? $trace['file'] . ':' . $trace['line'] : $trace['function'] . '()' );
 			}
-			wp_die( '<h3>' . $e->getMessage() . '</h3><small>' . $callback . '</small>' );
+			wp_die( '<h3>' . esc_html( $e->getMessage() ) . '</h3><small>' . esc_html( $callback ) . '</small>' );
 		}
 	}
 
@@ -117,6 +117,11 @@ public function enqueue_scripts() {
 		wp_enqueue_script( 'carbon-fields-core', \Carbon_Fields\URL . '/assets/dist/carbon.core' . $suffix . '.js', array( 'carbon-fields-vendor', 'quicktags', 'editor' ), \Carbon_Fields\VERSION );
 		wp_enqueue_script( 'carbon-fields-boot', \Carbon_Fields\URL . '/assets/dist/carbon.boot' . $suffix . '.js', array( 'carbon-fields-core' ), \Carbon_Fields\VERSION );
 
+		wp_localize_script( 'carbon-fields-core', 'carbonFieldsSecurity', apply_filters( 'carbon_fields_config', array(
+			'addSidebarNonce' => wp_create_nonce( 'carbon_fields_add_sidebar' ),
+			'removeSidebarNonce' => wp_create_nonce( 'carbon_fields_remove_sidebar' ),
+		) ) );
+		
 		wp_localize_script( 'carbon-fields-vendor', 'carbonFieldsConfig', apply_filters( 'carbon_fields_config', array(
 			'compactInput' => \Carbon_Fields\COMPACT_INPUT,
 			'compactInputKey' => \Carbon_Fields\COMPACT_INPUT_KEY,
diff --git a/core/Service/Legacy_Storage_Service_v_1_5.php b/core/Service/Legacy_Storage_Service_v_1_5.php
index 688092e9f..7241fc4f7 100644
--- a/core/Service/Legacy_Storage_Service_v_1_5.php
+++ b/core/Service/Legacy_Storage_Service_v_1_5.php
@@ -231,7 +231,9 @@ protected function get_legacy_storage_array_from_database( Container $container,
 			WHERE ' . $where_clause . '
 		';
 
+		// @codingStandardsIgnoreStart sanitized above
 		$raw_results = $wpdb->get_results( $query );
+		// @codingStandardsIgnoreEnd
 
 		$results = array();
 		foreach ( $raw_results as $result ) {
diff --git a/core/Toolset/WP_Toolset.php b/core/Toolset/WP_Toolset.php
index 82333d840..9b89862b8 100644
--- a/core/Toolset/WP_Toolset.php
+++ b/core/Toolset/WP_Toolset.php
@@ -63,7 +63,9 @@ public function get_comment_title( $id ) {
 	 */
 	public function get_term_by_descriptor( $term_descriptor ) {
 		if ( ! is_array( $term_descriptor ) || ! isset( $term_descriptor['value'] ) || ! isset( $term_descriptor['taxonomy'] ) ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Term descriptor passed is invalid. Please supply an array with a "value" and a "taxonomy" key: ' . print_r( $term_descriptor, true ) );
+			// @codingStandardsIgnoreEnd
 			return null;
 		}
 
@@ -73,7 +75,9 @@ public function get_term_by_descriptor( $term_descriptor ) {
 		$term = get_term_by( $field, $value, $taxonomy );
 
 		if ( ! $term ) {
+			// @codingStandardsIgnoreStart
 			Incorrect_Syntax_Exception::raise( 'Failed to load term for descriptor: ' . print_r( $term_descriptor, true ) );
+			// @codingStandardsIgnoreEnd
 			return new \WP_Term( new \stdClass() );
 		}
 
diff --git a/core/Value_Set/Value_Set.php b/core/Value_Set/Value_Set.php
index 499142538..5b6b31f81 100644
--- a/core/Value_Set/Value_Set.php
+++ b/core/Value_Set/Value_Set.php
@@ -83,7 +83,7 @@ class Value_Set {
 	 * @param array $additional_properties
 	 */
 	public function __construct( $type = self::TYPE_SINGLE_VALUE, $additional_properties = array() ) {
-		if ( ! in_array( $type, $this->valid_types ) ) {
+		if ( ! in_array( $type, $this->valid_types, true ) ) {
 			Incorrect_Syntax_Exception::raise( "Invalid type specified for Value_Set: $type" );
 		}
 
diff --git a/core/Walker/Nav_Menu_Item_Edit_Walker.php b/core/Walker/Nav_Menu_Item_Edit_Walker.php
index 20b565de8..2df2d160b 100644
--- a/core/Walker/Nav_Menu_Item_Edit_Walker.php
+++ b/core/Walker/Nav_Menu_Item_Edit_Walker.php
@@ -26,7 +26,7 @@ public function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0
 		// Generates the HTML
 		ob_start();
 		do_action( 'carbon_fields_print_nav_menu_item_container_fields', $item, $output, $depth, $args, $id );
-		echo $flag;
+		echo $flag; // XSS ok. Just an html comment.
 		$fields = ob_get_clean();
 
 		// List of possible insertion markers, this may vary between WP Core versions
diff --git a/core/Widget/Widget.php b/core/Widget/Widget.php
index 79aad0d3b..70e4e7a80 100644
--- a/core/Widget/Widget.php
+++ b/core/Widget/Widget.php
@@ -156,7 +156,7 @@ public function widget( $args, $instance ) {
 		$this->datastore->import_storage( $instance );
 
 		if ( $this->print_wrappers ) {
-			echo $args['before_widget'];
+			echo $args['before_widget']; // XSS ok.
 		}
 
 		$instance_values = array();
@@ -168,7 +168,7 @@ public function widget( $args, $instance ) {
 		$this->front_end( $args, $instance_values );
 
 		if ( $this->print_wrappers ) {
-			echo $args['after_widget'];
+			echo $args['after_widget']; // XSS ok.
 		}
 	}
 
@@ -210,7 +210,7 @@ public function add_fields( $fields ) {
 	public function register_field_name( $name ) {
 		static $registered_field_names = array();
 
-		if ( in_array( $name, $registered_field_names ) ) {
+		if ( in_array( $name, $registered_field_names, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Field name "' . $name . '" already registered' );
 			return false;
 		}
@@ -225,7 +225,7 @@ public function register_field_name( $name ) {
 	 * @param  string $id Widget ID
 	 */
 	public function register_widget_id( $id ) {
-		if ( in_array( $id, static::$registered_widget_ids ) ) {
+		if ( in_array( $id, static::$registered_widget_ids, true ) ) {
 			Incorrect_Syntax_Exception::raise( 'Widget with ID "' . $id . '" already registered. Please change the widget title' );
 			return;
 		}
diff --git a/templates/Container/comment_meta.php b/templates/Container/comment_meta.php
index 82aa3bf95..41171240a 100644
--- a/templates/Container/comment_meta.php
+++ b/templates/Container/comment_meta.php
@@ -1 +1 @@
-<fieldset class="comment-container-holder carbon-grid container-<?php echo $this->get_id(); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>"></fieldset>
+<fieldset class="comment-container-holder carbon-grid container-<?php echo esc_attr( $this->get_id() ); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>"></fieldset>
diff --git a/templates/Container/common/options-page.php b/templates/Container/common/options-page.php
index f14219bba..c28f2e1b0 100644
--- a/templates/Container/common/options-page.php
+++ b/templates/Container/common/options-page.php
@@ -3,35 +3,35 @@
 	$container_css_class = 'generic-container';
 }
 ?>
-<div class="wrap carbon-<?php echo $container_css_class; ?>">
-	<h2><?php echo $this->title ?></h2>
+<div class="wrap carbon-<?php echo esc_attr( $container_css_class ); ?>">
+	<h2><?php echo esc_html( $this->title ) ?></h2>
 
 	<?php if ( $this->errors ) :  ?>
 		<div class="error settings-error">
 			<?php foreach ( $this->errors as $error ) :  ?>
-				<p><strong><?php echo $error; ?></strong></p>
+				<p><strong><?php echo esc_html( $error ); ?></strong></p>
 			<?php endforeach ?>
 		</div>
 	<?php elseif ( $this->notifications ) :  ?>
 		<?php foreach ( $this->notifications as $notification ) :  ?>
 			<div class="settings-error updated">
-				<p><strong><?php echo $notification ?></strong></p>
+				<p><strong><?php echo esc_html( $notification ) ?></strong></p>
 			</div>
 		<?php endforeach ?>
 	<?php endif; ?>
 
-	<form method="post" id="<?php echo $container_css_class; ?>-form" enctype="multipart/form-data" action="">
+	<form method="post" id="<?php echo esc_attr( $container_css_class ); ?>-form" enctype="multipart/form-data" action="">
 		<div id="poststuff">
 			<div id="post-body" class="metabox-holder columns-2">
 				<div id="post-body-content">
-					<div class="postbox carbon-box" id="<?php echo $this->get_id(); ?>">
-						<fieldset class="inside container-holder carbon-grid <?php echo $container_css_class; ?>-container container-<?php echo $this->get_id(); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>"></fieldset>
+					<div class="postbox carbon-box" id="<?php echo esc_attr( $this->get_id() ); ?>">
+						<fieldset class="inside container-holder carbon-grid <?php echo esc_attr( $container_css_class ); ?>-container container-<?php echo esc_attr( $this->get_id() ); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>"></fieldset>
 					</div>
 				</div>
 
 				<div id="postbox-container-1" class="postbox-container">
 					<div id="submitdiv" class="postbox">
-						<h3><?php _e( 'Actions', 'carbon-fields' ); ?></h3>
+						<h3><?php esc_html_e( 'Actions', 'carbon-fields' ); ?></h3>
 
 						<div id="major-publishing-actions">
 
diff --git a/templates/Container/nav_menu_item.php b/templates/Container/nav_menu_item.php
index 383e627f7..135ceea96 100644
--- a/templates/Container/nav_menu_item.php
+++ b/templates/Container/nav_menu_item.php
@@ -1,3 +1,3 @@
-<div class="field-custom description description-wide carbon-nav-menu-row carbon-container" data-id="<?php echo $this->get_id(); ?>">
-	<fieldset class="container-holder carbon-nav-menu-container container-<?php echo $this->get_id(); ?>" data-json="<?php echo urlencode( json_encode( $this->to_json( false ) ) ); ?>"></fieldset>
+<div class="field-custom description description-wide carbon-nav-menu-row carbon-container" data-id="<?php echo esc_attr( $this->get_id() ); ?>">
+	<fieldset class="container-holder carbon-nav-menu-container container-<?php echo esc_attr( $this->get_id() ); ?>" data-json="<?php echo urlencode( wp_json_encode( $this->to_json( false ) ) ); ?>"></fieldset>
 </div>
diff --git a/templates/Container/post_meta.php b/templates/Container/post_meta.php
index 8ff4b568b..c49d778d5 100644
--- a/templates/Container/post_meta.php
+++ b/templates/Container/post_meta.php
@@ -1 +1 @@
-<fieldset class="container-holder carbon-grid container-<?php echo $this->get_id(); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>"></fieldset>
+<fieldset class="container-holder carbon-grid container-<?php echo esc_attr( $this->get_id() ); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>"></fieldset>
diff --git a/templates/Container/term_meta.php b/templates/Container/term_meta.php
index f9f1cb89a..9b582bb0e 100644
--- a/templates/Container/term_meta.php
+++ b/templates/Container/term_meta.php
@@ -1,8 +1,8 @@
 <tr class="carbon-table-row">
 	<td></td>
 	<td>
-		<div id="<?php echo $this->get_id(); ?>">
-			<fieldset class="container-holder carbon-term-container <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?> <?php echo ! empty( $_GET['tag_ID'] ) ? 'edit-term-container' : 'add-term-container'; ?> container-<?php echo $this->get_id(); ?>"></fieldset>
+		<div id="<?php echo esc_attr( $this->get_id() ); ?>">
+			<fieldset class="container-holder carbon-term-container <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?> <?php echo ! empty( $_GET['tag_ID'] ) ? 'edit-term-container' : 'add-term-container'; ?> container-<?php echo esc_attr( $this->get_id() ); ?>"></fieldset>
 		</div>
 	</td>
 </tr>
diff --git a/templates/Container/user_meta.php b/templates/Container/user_meta.php
index 458e0b5e0..f60c00d1a 100644
--- a/templates/Container/user_meta.php
+++ b/templates/Container/user_meta.php
@@ -1,10 +1,10 @@
-<div id="<?php echo $this->get_id(); ?>">
-	<h3><?php echo $this->title; ?></h3>
+<div id="<?php echo esc_attr( $this->get_id() ); ?>">
+	<h3><?php echo esc_html( $this->title ); ?></h3>
 	<table class="form-table">
 		<tr class="carbon-table-row">
 			<th></th>
 			<td>
-				<fieldset class="container-holder carbon-user-container container-<?php echo $this->get_id(); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>" data-profile-role="<?php echo $profile_role ?>"></fieldset>
+				<fieldset class="container-holder carbon-user-container container-<?php echo esc_attr( $this->get_id() ); ?> <?php echo $this->is_tabbed() ? '' : 'carbon-fields-collection' ?>" data-profile-role="<?php echo esc_attr( $profile_role ) ?>"></fieldset>
 			</td>
 		</tr>
 	</table>
diff --git a/templates/Container/widget.php b/templates/Container/widget.php
index 1bff0eaf0..abd1a4485 100644
--- a/templates/Container/widget.php
+++ b/templates/Container/widget.php
@@ -1,6 +1,6 @@
 <div class="carbon-container">
-	<fieldset class="container-holder carbon-grid container-<?php echo $this->get_id(); ?>" data-json="<?php echo urlencode( json_encode( $this->to_json( false ) ) ); ?>"></fieldset>
+	<fieldset class="container-holder carbon-grid container-<?php echo esc_attr( $this->get_id() ); ?>" data-json="<?php echo urlencode( wp_json_encode( $this->to_json( false ) ) ); ?>"></fieldset>
 	<?php if ( ! $this->has_fields() ) : ?>
-		<?php _e( 'No options are available for this widget.', 'carbon-fields' ); ?>
+		<?php esc_html_e( 'No options are available for this widget.', 'carbon-fields' ); ?>
 	<?php endif; ?>
 </div>
diff --git a/templates/Exception/incorrect-syntax.php b/templates/Exception/incorrect-syntax.php
index 59ea5b2c0..c66731987 100644
--- a/templates/Exception/incorrect-syntax.php
+++ b/templates/Exception/incorrect-syntax.php
@@ -18,7 +18,7 @@
 
 		$('.carbon-errors-dismiss').on('click', function () {
 			$container.slideUp();
-			carbon.docCookies.setItem(<?php echo json_encode( $hideErrorsCookieName ) ?>, "1", Infinity);
+			carbon.docCookies.setItem(<?php echo wp_json_encode( $hideErrorsCookieName ) ?>, "1", Infinity);
 		});
 	})
 </script>
@@ -29,14 +29,14 @@
 	<p>Your site seems to be slightly misconfigured. <p><a href="#" class="carbon-errors-expand">Tell me more</a></p> 
 
 	<div class="carbon-errors-more">
-		<p>Carbon Fields library encountered errors that may prevent your custom fields or theme options to work properly. Here's a quick summary of the issue<?php echo $plural ?>: </p>
+		<p>Carbon Fields library encountered errors that may prevent your custom fields or theme options to work properly. Here's a quick summary of the issue<?php echo esc_html( $plural ) ?>: </p>
 
 		<ol>
 			<?php foreach ( $errors as $error ) :  ?>
-				<li><?php echo htmlspecialchars( $error->getMessage() ) ?></li>
+				<li><?php echo esc_html( htmlspecialchars( $error->getMessage() ) ) ?></li>
 			<?php endforeach ?>	
 		</ol>
 
-		<p>You might want to get in touch with a developer regarding the issue<?php echo $plural ?>. If you feel adventurous, try enabling <code>WP_DEBUG</code> in your wp-config.php. </p>
+		<p>You might want to get in touch with a developer regarding the issue<?php echo esc_html( $plural ) ?>. If you feel adventurous, try enabling <code>WP_DEBUG</code> in your wp-config.php. </p>
 	</div>
 </div>