From a4a86d2cf1536b62a527d367158fd3eec29f5686 Mon Sep 17 00:00:00 2001
From: Jonathan Champ <jrchamp@ncsu.edu>
Date: Tue, 4 Apr 2023 00:28:36 -0400
Subject: [PATCH 1/5] options: fix WCAG accessibility issues

---
 options-admin.php | 94 +++++++++++++++++++++++------------------------
 1 file changed, 45 insertions(+), 49 deletions(-)

diff --git a/options-admin.php b/options-admin.php
index 222b281..4fd3247 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -19,12 +19,12 @@ function shibboleth_admin_tabs( $current = 'general' ) {
 		'authorization' => 'Authorization',
 		'logging' => 'Logging',
 	);
-	echo '<h2 class="nav-tab-wrapper">';
+	echo '<nav class="nav-tab-wrapper">';
 	foreach ( $tabs as $tab => $name ) {
 		$class = ( $tab === $current ) ? ' nav-tab-active' : '';
 		echo '<a class="nav-tab' . esc_attr( $class ) . '" href="?page=shibboleth-options&tab=' . esc_attr( $tab ) . '">' . esc_html( $name ) . '</a>';
 	}
-	echo '</h2>';
+	echo '</nav>';
 }
 
 /**
@@ -232,7 +232,7 @@ function shibboleth_options_page() {
 					$constant = $constant || $from_constant;
 					?>
 
-			<h3><?php esc_html_e( 'General Configuration', 'shibboleth' ); ?></h3>
+			<h2><?php esc_html_e( 'General Configuration', 'shibboleth' ); ?></h2>
 					<?php if ( $constant ) { ?>
 				<div class="notice notice-warning">
 					<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
@@ -348,7 +348,7 @@ function shibboleth_options_page() {
 					</td>
 				</tr>
 				<tr id="attribute_access_fallback_row" <?php echo 'standard' === $attribute_access ? 'style="display:none;"' : ''; ?>>
-					<th scope="row"><label for="attribute_access_fallback"><?php esc_html_e( 'Enable Fallback Attribute Access', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Enable Fallback Attribute Access', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="attribute_access_fallback" name="attribute_access_fallback" <?php checked( (bool) $attribute_access_fallback ); ?> <?php defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK' ) && disabled( $attribute_access_fallback, SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK ); ?> />
 						<label for="attribute_access_fallback"><?php esc_html_e( 'Allow the standard environment variables to be used as a fallback for attribute access.', 'shibboleth' ); ?></label>
@@ -365,7 +365,7 @@ function shibboleth_options_page() {
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="default_login"><?php esc_html_e( 'Default Login Method', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Default Login Method', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="default_login" name="default_login" <?php checked( (bool) $default_login ); ?> <?php defined( 'SHIBBOLETH_DEFAULT_TO_SHIB_LOGIN' ) && disabled( $default_login, SHIBBOLETH_DEFAULT_TO_SHIB_LOGIN ); ?> />
 						<label for="default_login"><?php esc_html_e( 'Use Shibboleth as the default login method for users.', 'shibboleth' ); ?></label>
@@ -383,7 +383,7 @@ function shibboleth_options_page() {
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="auto_login"><?php esc_html_e( 'Automatic Login', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Automatic Login', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="auto_login" name="auto_login" <?php checked( (bool) $auto_login ); ?> <?php defined( 'SHIBBOLETH_AUTO_LOGIN' ) && disabled( $auto_login, SHIBBOLETH_AUTO_LOGIN ); ?> />
 						<label for="auto_login"><?php esc_html_e( 'Use Shibboleth to auto-login users.', 'shibboleth' ); ?></label>
@@ -402,7 +402,7 @@ function shibboleth_options_page() {
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="disable_local_auth"><?php esc_html_e( 'Disable Local Authentication', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Disable Local Authentication', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="disable_local_auth" name="disable_local_auth" <?php checked( (bool) $disable_local_auth ); ?> <?php defined( 'SHIBBOLETH_DISABLE_LOCAL_AUTH' ) && disabled( $disable_local_auth, SHIBBOLETH_DISABLE_LOCAL_AUTH ); ?> />
 						<label for="disable_local_auth"><?php esc_html_e( 'Disables local WordPress authentication.', 'shibboleth' ); ?></label>
@@ -491,7 +491,7 @@ function AttributeAccessMethod() {
 					<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
 				</div>
 			<?php } ?>
-			<h4><?php esc_html_e( 'User Profile Data', 'shibboleth' ); ?></h4>
+			<h3><?php esc_html_e( 'User Profile Data', 'shibboleth' ); ?></h3>
 
 			<p>
 					<?php
@@ -519,7 +519,7 @@ function AttributeAccessMethod() {
 						<input type="text" id="username" name="headers[username][name]" value="<?php echo esc_attr( $shib_headers['username']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td width="60%">
-						<input type="checkbox" id="username_managed" name="headers[username][managed]" <?php checked( true ); ?><?php disabled( true ); ?>/> <?php esc_html_e( 'Managed', 'shibboleth' ); ?>
+						<input type="checkbox" id="username_managed" name="headers[username][managed]" <?php checked( true ); ?><?php disabled( true ); ?>/> <label for="username_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr valign="top">
@@ -528,7 +528,7 @@ function AttributeAccessMethod() {
 						<input type="text" id="first_name" name="headers[first_name][name]" value="<?php echo esc_attr( $shib_headers['first_name']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td>
-						<input type="checkbox" id="first_name_managed" name="headers[first_name][managed]" <?php isset( $shib_headers['first_name']['managed'] ) && checked( $shib_headers['first_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <?php esc_html_e( 'Managed', 'shibboleth' ); ?>
+						<input type="checkbox" id="first_name_managed" name="headers[first_name][managed]" <?php isset( $shib_headers['first_name']['managed'] ) && checked( $shib_headers['first_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <label for="first_name_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr valign="top">
@@ -537,7 +537,7 @@ function AttributeAccessMethod() {
 						<input type="text" id="last_name" name="headers[last_name][name]" value="<?php echo esc_attr( $shib_headers['last_name']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td>
-						<input type="checkbox" id="last_name_managed" name="headers[last_name][managed]" <?php isset( $shib_headers['last_name']['managed'] ) && checked( $shib_headers['last_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <?php esc_html_e( 'Managed', 'shibboleth' ); ?>
+						<input type="checkbox" id="last_name_managed" name="headers[last_name][managed]" <?php isset( $shib_headers['last_name']['managed'] ) && checked( $shib_headers['last_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <label for="last_name_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr valign="top">
@@ -546,7 +546,7 @@ function AttributeAccessMethod() {
 						<input type="text" id="nickname" name="headers[nickname][name]" value="<?php echo esc_attr( $shib_headers['nickname']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td>
-						<input type="checkbox" id="nickname_managed" name="headers[nickname][managed]" <?php isset( $shib_headers['nickname']['managed'] ) && checked( $shib_headers['nickname']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?>/> <?php esc_html_e( 'Managed', 'shibboleth' ); ?>
+						<input type="checkbox" id="nickname_managed" name="headers[nickname][managed]" <?php isset( $shib_headers['nickname']['managed'] ) && checked( $shib_headers['nickname']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?>/> <label for="nickname_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr valign="top">
@@ -555,7 +555,7 @@ function AttributeAccessMethod() {
 						<input type="text" id="_display_name" name="headers[display_name][name]" value="<?php echo esc_attr( $shib_headers['display_name']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td>
-						<input type="checkbox" id="display_name_managed" name="headers[display_name][managed]" <?php isset( $shib_headers['display_name']['managed'] ) && checked( $shib_headers['display_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?>/> <?php esc_html_e( 'Managed', 'shibboleth' ); ?>
+						<input type="checkbox" id="display_name_managed" name="headers[display_name][managed]" <?php isset( $shib_headers['display_name']['managed'] ) && checked( $shib_headers['display_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?>/> <label for="display_name_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr valign="top">
@@ -564,7 +564,7 @@ function AttributeAccessMethod() {
 						<input type="text" id="email" name="headers[email][name]" value="<?php echo esc_attr( $shib_headers['email']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td>
-						<input type="checkbox" id="email_managed" name="headers[email][managed]" <?php isset( $shib_headers['email']['managed'] ) && checked( $shib_headers['email']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <?php esc_html_e( 'Managed', 'shibboleth' ); ?>
+						<input type="checkbox" id="email_managed" name="headers[email][managed]" <?php isset( $shib_headers['email']['managed'] ) && checked( $shib_headers['email']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <label for="email_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 			</table>
@@ -585,7 +585,7 @@ function AttributeAccessMethod() {
 
 			<table class="form-table">
 				<tr valign="top">
-					<th scope="row"><label for="create_accounts"><?php esc_html_e( 'Automatically Create Accounts', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Automatically Create Accounts', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="create_accounts" name="create_accounts" <?php checked( (bool) $create_accounts ); ?> <?php defined( 'SHIBBOLETH_CREATE_ACCOUNTS' ) && disabled( $create_accounts, SHIBBOLETH_CREATE_ACCOUNTS ); ?> />
 						<label for="create_accounts"><?php esc_html_e( 'Automatically create new users if they do not exist in the WordPress database.', 'shibboleth' ); ?></label>
@@ -628,7 +628,7 @@ function AttributeAccessMethod() {
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="manually_combine_accounts"></label></th>
+					<th scope="row"><label for="manually_combine_accounts"><?php esc_html_e( 'Manual Account Merging', 'shibboleth' ); ?></label></th>
 					<td>
 						<select id="manually_combine_accounts" name="manually_combine_accounts" <?php defined( 'SHIBBOLETH_MANUALLY_COMBINE_ACCOUNTS' ) && disabled( $manually_combine_accounts, SHIBBOLETH_MANUALLY_COMBINE_ACCOUNTS ); ?>>
 							<option value="prevent" <?php selected( $manually_combine_accounts, 'disallow' ); ?>>Prevent Manual Account Merging</option>
@@ -666,7 +666,7 @@ function AttributeAccessMethod() {
 					$constant = $constant || $from_constant;
 					?>
 
-			<h3><?php esc_html_e( 'User Role Mappings', 'shibboleth' ); ?></h3>
+			<h2><?php esc_html_e( 'User Role Mappings', 'shibboleth' ); ?></h2>
 						<?php if ( $constant ) { ?>
 				<div class="notice notice-warning">
 					<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
@@ -722,22 +722,19 @@ function AttributeAccessMethod() {
 				#role_mappings td, #role_mappings th { border-bottom: 0px; }
 			</style>
 
-			<table class="form-table optiontable editform" cellspacing="2" cellpadding="5" width="100%">
-				<tr>
-					<th scope="row"><?php esc_html_e( 'Role Mappings', 'shibboleth' ); ?></th>
-					<td id="role_mappings">
-						<table id="">
-						<col width="10%"></col>
-						<col></col>
-						<col></col>
-						<thead>
-							<tr>
-								<th></th>
-								<th scope="column"><?php esc_html_e( 'Header Name', 'shibboleth' ); ?></th>
-								<th scope="column"><?php esc_html_e( 'Header Value', 'shibboleth' ); ?></th>
-							</tr>
-						</thead>
-						<tbody>
+			<h3><?php esc_html_e( 'Role Mappings', 'shibboleth' ); ?></h3>
+			<table id="role_mappings" class="form-table optiontable editform" cellspacing="2" cellpadding="5" width="100%">
+				<col width="10%"></col>
+				<col></col>
+				<col></col>
+				<thead>
+					<tr>
+						<th scope="col"><?php esc_html_e( 'Role' ); ?></th>
+						<th scope="col"><?php esc_html_e( 'Header Name', 'shibboleth' ); ?></th>
+						<th scope="col"><?php esc_html_e( 'Header Value', 'shibboleth' ); ?></th>
+					</tr>
+				</thead>
+				<tbody>
 							<?php
 
 							foreach ( $wp_roles->role_names as $key => $name ) {
@@ -750,21 +747,20 @@ function AttributeAccessMethod() {
 									$value = $shib_roles[ $key ]['value'];
 								}
 								echo '
-						<tr valign="top">
-							<th scope="row">' . esc_html( $name ) . '</th>
-							<td><input type="text" id="role_' . esc_attr( $key ) . '_header" name="shibboleth_roles[' . esc_attr( $key ) . '][header]" value="' . esc_attr( $header ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
-							<td><input type="text" id="role_' . esc_attr( $key ) . '_value" name="shibboleth_roles[' . esc_attr( $key ) . '][value]" value="' . esc_attr( $value ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
-						</tr>';
+				<tr valign="top">
+					<th scope="row">' . esc_html( $name ) . '</th>
+					<td><input type="text" id="role_' . esc_attr( $key ) . '_header" name="shibboleth_roles[' . esc_attr( $key ) . '][header]" value="' . esc_attr( $header ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
+					<td><input type="text" id="role_' . esc_attr( $key ) . '_value" name="shibboleth_roles[' . esc_attr( $key ) . '][value]" value="' . esc_attr( $value ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
+				</tr>';
 							}
 							?>
 
-						</tbody>
-						</table>
-					</td>
-				</tr>
+				</tbody>
+			</table>
 
+			<table class="form-table optiontable editform" cellspacing="2" cellpadding="5" width="100%">
 				<tr>
-					<th scope="row"><?php esc_html_e( 'Default Role', 'shibboleth' ); ?></th>
+					<th scope="row"><label for="default_role"><?php esc_html_e( 'Default Role', 'shibboleth' ); ?></label></th>
 					<td>
 						<select id="default_role" name="default_role" <?php defined( 'SHIBBOLETH_DEFAULT_ROLE' ) && disabled( $default_role, SHIBBOLETH_DEFAULT_ROLE ); ?>>
 							<option value=""><?php esc_html_e( '(no role)', 'shibboleth' ); ?></option>
@@ -792,7 +788,7 @@ function AttributeAccessMethod() {
 				</tr>
 
 				<tr>
-					<th scope="row"><label for="update_roles"><?php esc_html_e( 'Update User Roles', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Update User Roles', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="update_roles" name="update_roles" <?php checked( (bool) $update_roles ); ?> <?php defined( 'SHIBBOLETH_UPDATE_ROLES' ) && disabled( $update_roles, SHIBBOLETH_UPDATE_ROLES ); ?>
 							/>
@@ -834,7 +830,7 @@ function AttributeAccessMethod() {
 					list( $shib_logging, $shib_logging_constant ) = shibboleth_getoption( 'shibboleth_logging', array(), true, true );
 					$constant = $constant || $shib_logging_constant;
 					?>
-		<h3><?php esc_html_e( 'Logging Configuration', 'shibboleth' ); ?></h3>
+		<h2><?php esc_html_e( 'Logging Configuration', 'shibboleth' ); ?></h2>
 					<?php if ( $constant ) { ?>
 			<div class="notice notice-warning">
 				<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
@@ -842,28 +838,28 @@ function AttributeAccessMethod() {
 		<?php } ?>
 			<table class="form-table">
 				<tr>
-					<th scope="row"><label for="log_auth"><?php esc_html_e( 'Log Authentication Attempts', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Log Authentication Attempts', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="log_auth" name="logging[]" value="auth" <?php checked( in_array( 'auth', $shib_logging, true ) ); ?> <?php defined( $shib_logging_constant ) && disabled( $shib_logging_constant, true, false ); ?> />
 						<label for="log_auth"><?php esc_html_e( 'Log when a user attempts to authenticate using Shibboleth.', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="log_account_merge"><?php esc_html_e( 'Log Account Merges', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Log Account Merges', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="log_account_merge" name="logging[]" value="account_merge" <?php checked( in_array( 'account_merge', $shib_logging, true ) ); ?> <?php defined( $shib_logging_constant ) && disabled( $shib_logging_constant, true, false ); ?> />
 						<label for="log_account_merge"><?php esc_html_e( 'Log when a user attempts to merge their account, either manually or automatically.', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="log_account_create"><?php esc_html_e( 'Log Account Creation', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Log Account Creation', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="log_account_create" name="logging[]" value="account_create" <?php checked( in_array( 'account_create', $shib_logging, true ) ); ?> <?php defined( $shib_logging_constant ) && disabled( $shib_logging_constant, true, false ); ?> />
 						<label for="log_account_create"><?php esc_html_e( 'Log when new accounts are created.', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
 				<tr>
-					<th scope="row"><label for="log_role_update"><?php esc_html_e( 'Log Role Update', 'shibboleth' ); ?></label></th>
+					<th scope="row"><?php esc_html_e( 'Log Role Update', 'shibboleth' ); ?></th>
 					<td>
 						<input type="checkbox" id="log_role_update" name="logging[]" value="role_update" <?php checked( in_array( 'role_update', $shib_logging, true ) ); ?> <?php defined( $shib_logging_constant ) && disabled( $shib_logging_constant, true, false ); ?> />
 						<label for="log_role_update"><?php esc_html_e( 'Log when the plugin updates a user\'s role.', 'shibboleth' ); ?></label>

From 225cb5a36e60361d52ef9aaaf93fc864a59048ec Mon Sep 17 00:00:00 2001
From: Jonathan Champ <jrchamp@ncsu.edu>
Date: Mon, 27 Mar 2023 13:42:58 -0400
Subject: [PATCH 2/5] wpcs: Follow WordPress standard, not just WordPress-Core

---
 .github/workflows/wp-plugin-ci-full.yml |   2 +-
 .github/workflows/wp-plugin-ci.yml      |   2 +-
 assets/js/shibboleth_login_form.js      |  10 +-
 options-admin.php                       | 601 ++++++++++++------------
 options-user.php                        |  36 +-
 shibboleth.php                          |  71 +--
 6 files changed, 360 insertions(+), 362 deletions(-)

diff --git a/.github/workflows/wp-plugin-ci-full.yml b/.github/workflows/wp-plugin-ci-full.yml
index b0118e8..36290f5 100644
--- a/.github/workflows/wp-plugin-ci-full.yml
+++ b/.github/workflows/wp-plugin-ci-full.yml
@@ -27,4 +27,4 @@ jobs:
 
     - name: Run PHPCS on all files
       run: |
-        vendor/bin/phpcs -q -n --ignore=vendor --runtime-set installed_paths vendor/wp-coding-standards/wpcs --standard=WordPress-Core --report=checkstyle $GITHUB_WORKSPACE | cs2pr
+        vendor/bin/phpcs -q -n --ignore=vendor --runtime-set installed_paths vendor/wp-coding-standards/wpcs --standard=WordPress --report=checkstyle $GITHUB_WORKSPACE | cs2pr
diff --git a/.github/workflows/wp-plugin-ci.yml b/.github/workflows/wp-plugin-ci.yml
index 622c8ed..35ab7aa 100644
--- a/.github/workflows/wp-plugin-ci.yml
+++ b/.github/workflows/wp-plugin-ci.yml
@@ -32,4 +32,4 @@ jobs:
       run: |
         touch $GITHUB_WORKSPACE/tmp.php
         export CHANGED_FILES=$(git diff --name-only --diff-filter=AM remotes/origin/${{ github.base_ref }} | tr '\n' ' ')
-        vendor/bin/phpcs -q -n --ignore=vendor --runtime-set installed_paths vendor/wp-coding-standards/wpcs --standard=WordPress-Core --report=checkstyle $GITHUB_WORKSPACE/tmp.php $(echo $CHANGED_FILES) | cs2pr
+        vendor/bin/phpcs -q -n --ignore=vendor --runtime-set installed_paths vendor/wp-coding-standards/wpcs --standard=WordPress --report=checkstyle $GITHUB_WORKSPACE/tmp.php $(echo $CHANGED_FILES) | cs2pr
diff --git a/assets/js/shibboleth_login_form.js b/assets/js/shibboleth_login_form.js
index 6b7690f..370a335 100644
--- a/assets/js/shibboleth_login_form.js
+++ b/assets/js/shibboleth_login_form.js
@@ -1,5 +1,9 @@
-// Originally from Automattic's Jetpack SSO module (v5.3)
-// @see https://github.com/Automattic/jetpack/blob/5.3/modules/sso/jetpack-sso-login.js
+/**
+ * Originally from Automattic's Jetpack SSO module (v5.3)
+ *
+ * @see https://github.com/Automattic/jetpack/blob/5.3/modules/sso/jetpack-sso-login.js.
+ * @package shibboleth
+ */
 
 jQuery( document ).ready(
 	function( $ ) {
@@ -15,7 +19,7 @@ jQuery( document ).ready(
 		// UI under the submit button.
 		//
 		// @TODO: Remove this approach once core ticket 28528 is in and we have more actions in wp-login.php.
-		// See - https://core.trac.wordpress.org/ticket/28528
+		// See - https://core.trac.wordpress.org/ticket/28528.
 		loginForm.append( overflow );
 		overflow.append( $( 'p.forgetmenot' ), $( 'p.submit' ) );
 
diff --git a/options-admin.php b/options-admin.php
index 4fd3247..4b28462 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -59,43 +59,49 @@ function shibboleth_network_admin_panels() {
  */
 function shibboleth_options_page() {
 	global $wp_roles;
+
 	$message = null;
 	$type = null;
 
+	$tab = isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : 'general';
+
+	$shib_header_fields = array(
+		'username' => __( 'Username' ),
+		'first_name' => __( 'First Name' ),
+		'last_name' => __( 'Last Name' ),
+		'nickname' => __( 'Nickname' ),
+		'display_name' => __( 'Display name', 'shibboleth' ),
+		'email' => __( 'Email' ),
+	);
+
 	if ( isset( $_POST['submit'] ) ) {
 		check_admin_referer( 'shibboleth_update_options' );
 
-		if ( isset( $_GET['tab'] ) ) {
-			$tab = $_GET['tab'];
-		} else {
-			$tab = 'general';
-		}
-
 		switch ( $tab ) {
 			case 'general':
-				if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD' ) ) {
-					update_site_option( 'shibboleth_attribute_access_method', $_POST['attribute_access'] );
+				if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD' ) && isset( $_POST['attribute_access'] ) ) {
+					update_site_option( 'shibboleth_attribute_access_method', sanitize_text_field( wp_unslash( $_POST['attribute_access'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK' ) ) {
-					update_site_option( 'shibboleth_attribute_access_method_fallback', $_POST['attribute_access_fallback'] );
+					update_site_option( 'shibboleth_attribute_access_method_fallback', ! empty( $_POST['attribute_access_fallback'] ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_CUSTOM_ACCESS_METHOD' ) ) {
-					update_site_option( 'shibboleth_attribute_custom_access_method', $_POST['attribute_custom_access'] );
+				if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_CUSTOM_ACCESS_METHOD' ) && isset( $_POST['attribute_custom_access'] ) ) {
+					update_site_option( 'shibboleth_attribute_custom_access_method', sanitize_text_field( wp_unslash( $_POST['attribute_custom_access'] ) ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_LOGIN_URL' ) ) {
-					update_site_option( 'shibboleth_login_url', $_POST['login_url'] );
+				if ( ! defined( 'SHIBBOLETH_LOGIN_URL' ) && isset( $_POST['login_url'] ) ) {
+					update_site_option( 'shibboleth_login_url', sanitize_url( wp_unslash( $_POST['login_url'] ) ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_LOGOUT_URL' ) ) {
-					update_site_option( 'shibboleth_logout_url', $_POST['logout_url'] );
+				if ( ! defined( 'SHIBBOLETH_LOGOUT_URL' ) && isset( $_POST['logout_url'] ) ) {
+					update_site_option( 'shibboleth_logout_url', sanitize_url( wp_unslash( $_POST['logout_url'] ) ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_SPOOF_KEY' ) ) {
-					update_site_option( 'shibboleth_spoof_key', $_POST['spoofkey'] );
+				if ( ! defined( 'SHIBBOLETH_SPOOF_KEY' ) && isset( $_POST['spoofkey'] ) ) {
+					update_site_option( 'shibboleth_spoof_key', sanitize_text_field( wp_unslash( $_POST['spoofkey'] ) ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_PASSWORD_CHANGE_URL' ) ) {
-					update_site_option( 'shibboleth_password_change_url', $_POST['password_change_url'] );
+				if ( ! defined( 'SHIBBOLETH_PASSWORD_CHANGE_URL' ) && isset( $_POST['password_change_url'] ) ) {
+					update_site_option( 'shibboleth_password_change_url', sanitize_url( wp_unslash( $_POST['password_change_url'] ) ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_PASSWORD_RESET_URL' ) ) {
-					update_site_option( 'shibboleth_password_reset_url', $_POST['password_reset_url'] );
+				if ( ! defined( 'SHIBBOLETH_PASSWORD_RESET_URL' ) && isset( $_POST['password_reset_url'] ) ) {
+					update_site_option( 'shibboleth_password_reset_url', sanitize_url( wp_unslash( $_POST['password_reset_url'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_DEFAULT_TO_SHIB_LOGIN' ) ) {
 					update_site_option( 'shibboleth_default_to_shib_login', ! empty( $_POST['default_login'] ) );
@@ -103,17 +109,24 @@ function shibboleth_options_page() {
 				if ( ! defined( 'SHIBBOLETH_AUTO_LOGIN' ) ) {
 					update_site_option( 'shibboleth_auto_login', ! empty( $_POST['auto_login'] ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_BUTTON_TEXT' ) ) {
-					update_site_option( 'shibboleth_button_text', $_POST['button_text'] );
+				if ( ! defined( 'SHIBBOLETH_BUTTON_TEXT' ) && isset( $_POST['button_text'] ) ) {
+					update_site_option( 'shibboleth_button_text', sanitize_text_field( wp_unslash( $_POST['button_text'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_DISABLE_LOCAL_AUTH' ) ) {
 					update_site_option( 'shibboleth_disable_local_auth', ! empty( $_POST['disable_local_auth'] ) );
 				}
 				break;
+
 			case 'user':
-				if ( ! defined( 'SHIBBOLETH_HEADERS' ) ) {
+				if ( ! defined( 'SHIBBOLETH_HEADERS' ) && isset( $_POST['headers'] ) ) {
 					$shib_headers = (array) get_site_option( 'shibboleth_headers' );
-					$shib_headers = array_merge( $shib_headers, $_POST['headers'] );
+					$updated_headers = array();
+					foreach ( $shib_header_fields as $header_field => $header_field_label ) {
+						if ( isset( $_POST['headers'][ $header_field ] ) ) {
+							$updated_headers[ $header_field ] = array_map( 'sanitize_text_field', wp_unslash( $_POST['headers'][ $header_field ] ) );
+						}
+					}
+					$shib_headers = array_merge( $shib_headers, $updated_headers );
 					/**
 					 * Filter shibboleth_form_submit_headers
 					 *
@@ -127,17 +140,24 @@ function shibboleth_options_page() {
 				if ( ! defined( 'SHIBBOLETH_CREATE_ACCOUNTS' ) ) {
 					update_site_option( 'shibboleth_create_accounts', ! empty( $_POST['create_accounts'] ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_AUTO_COMBINE_ACCOUNTS' ) ) {
-					update_site_option( 'shibboleth_auto_combine_accounts', $_POST['auto_combine_accounts'] );
+				if ( ! defined( 'SHIBBOLETH_AUTO_COMBINE_ACCOUNTS' ) && isset( $_POST['auto_combine_accounts'] ) ) {
+					update_site_option( 'shibboleth_auto_combine_accounts', sanitize_text_field( wp_unslash( $_POST['auto_combine_accounts'] ) ) );
 				}
-				if ( ! defined( 'SHIBBOLETH_MANUALLY_COMBINE_ACCOUNTS' ) ) {
-					update_site_option( 'shibboleth_manually_combine_accounts', $_POST['manually_combine_accounts'] );
+				if ( ! defined( 'SHIBBOLETH_MANUALLY_COMBINE_ACCOUNTS' ) && isset( $_POST['manually_combine_accounts'] ) ) {
+					update_site_option( 'shibboleth_manually_combine_accounts', sanitize_text_field( wp_unslash( $_POST['manually_combine_accounts'] ) ) );
 				}
 				break;
+
 			case 'authorization':
-				if ( ! defined( 'SHIBBOLETH_ROLES' ) ) {
+				if ( ! defined( 'SHIBBOLETH_ROLES' ) && isset( $_POST['shibboleth_roles'] ) ) {
 					$shib_roles = (array) get_site_option( 'shibboleth_roles' );
-					$shib_roles = array_merge( $shib_roles, $_POST['shibboleth_roles'] );
+					$updated_roles = array();
+					foreach ( $wp_roles->role_names as $key => $name ) {
+						if ( isset( $_POST['shibboleth_roles'][ $key ] ) ) {
+							$updated_roles[ $key ] = array_map( 'sanitize_text_field', wp_unslash( $_POST['shibboleth_roles'][ $key ] ) );
+						}
+					}
+					$shib_roles = array_merge( $shib_roles, $updated_roles );
 					/**
 					 * Filter shibboleth_form_submit_roles
 					 *
@@ -148,23 +168,25 @@ function shibboleth_options_page() {
 					$shib_roles = apply_filters( 'shibboleth_form_submit_roles', $shib_roles );
 					update_site_option( 'shibboleth_roles', $shib_roles );
 				}
-				if ( ! defined( 'SHIBBOLETH_DEFAULT_ROLE' ) ) {
-					update_site_option( 'shibboleth_default_role', $_POST['default_role'] );
+				if ( ! defined( 'SHIBBOLETH_DEFAULT_ROLE' ) && isset( $_POST['default_role'] ) ) {
+					update_site_option( 'shibboleth_default_role', sanitize_text_field( wp_unslash( $_POST['default_role'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_UPDATE_ROLES' ) ) {
 					update_site_option( 'shibboleth_update_roles', ! empty( $_POST['update_roles'] ) );
 				}
 				break;
+
 			case 'logging':
 				if ( ! defined( 'SHIBBOLETH_LOGGING' ) ) {
 					if ( isset( $_POST['logging'] ) ) {
-						update_site_option( 'shibboleth_logging', $_POST['logging'] );
+						update_site_option( 'shibboleth_logging', array_map( 'sanitize_text_field', wp_unslash( $_POST['logging'] ) ) );
 					} else {
 						update_site_option( 'shibboleth_logging', array() );
 					}
 				}
 				break;
 		}
+
 		$type = 'updated';
 		$message = __( 'Settings saved.', 'shibboleth' );
 
@@ -180,7 +202,6 @@ function shibboleth_options_page() {
 		 * Hint: use global $_POST within the action.
 		 */
 		do_action( 'shibboleth_form_submit' );
-
 	}
 
 	$shibboleth_plugin_path = apply_filters( 'shibboleth_plugin_path', plugins_url( 'shibboleth' ) );
@@ -191,53 +212,45 @@ function shibboleth_options_page() {
 
 			<h1><?php esc_html_e( 'Shibboleth Options', 'shibboleth' ); ?></h1>
 
-			<?php
-			if ( isset( $_GET['tab'] ) ) {
-				shibboleth_admin_tabs( $_GET['tab'] );
-			} else {
-				shibboleth_admin_tabs( 'general' );
-			}
-			if ( isset( $_GET['tab'] ) ) {
-				$tab = $_GET['tab'];
-			} else {
-				$tab = 'general';
-			}
-
-			switch ( $tab ) {
-				case 'general':
-					$constant = false;
-					list( $login_url, $from_constant ) = shibboleth_getoption( 'shibboleth_login_url', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $logout_url, $from_constant ) = shibboleth_getoption( 'shibboleth_logout_url', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $password_change_url, $from_constant ) = shibboleth_getoption( 'shibboleth_password_change_url', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $password_reset_url, $from_constant ) = shibboleth_getoption( 'shibboleth_password_reset_url', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $attribute_access, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_access_method', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $attribute_access_fallback, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_access_method_fallback', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $attribute_custom_access, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_custom_access_method', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $spoofkey, $from_constant ) = shibboleth_getoption( 'shibboleth_spoof_key', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $default_login, $from_constant ) = shibboleth_getoption( 'shibboleth_default_to_shib_login', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $auto_login, $from_constant ) = shibboleth_getoption( 'shibboleth_auto_login', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $disable_local_auth, $from_constant ) = shibboleth_getoption( 'shibboleth_disable_local_auth', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $button_text, $from_constant ) = shibboleth_getoption( 'shibboleth_button_text', false, false, true );
-					$constant = $constant || $from_constant;
-					?>
+	<?php
+	shibboleth_admin_tabs( $tab );
+
+	switch ( $tab ) {
+		case 'general':
+			$constant = false;
+			list( $login_url, $from_constant ) = shibboleth_getoption( 'shibboleth_login_url', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $logout_url, $from_constant ) = shibboleth_getoption( 'shibboleth_logout_url', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $password_change_url, $from_constant ) = shibboleth_getoption( 'shibboleth_password_change_url', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $password_reset_url, $from_constant ) = shibboleth_getoption( 'shibboleth_password_reset_url', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $attribute_access, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_access_method', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $attribute_access_fallback, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_access_method_fallback', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $attribute_custom_access, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_custom_access_method', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $spoofkey, $from_constant ) = shibboleth_getoption( 'shibboleth_spoof_key', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $default_login, $from_constant ) = shibboleth_getoption( 'shibboleth_default_to_shib_login', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $auto_login, $from_constant ) = shibboleth_getoption( 'shibboleth_auto_login', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $disable_local_auth, $from_constant ) = shibboleth_getoption( 'shibboleth_disable_local_auth', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $button_text, $from_constant ) = shibboleth_getoption( 'shibboleth_button_text', false, false, true );
+			$constant = $constant || $from_constant;
+			?>
 
 			<h2><?php esc_html_e( 'General Configuration', 'shibboleth' ); ?></h2>
-					<?php if ( $constant ) { ?>
-				<div class="notice notice-warning">
-					<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
-				</div>
+			<?php if ( $constant ) { ?>
+			<div class="notice notice-warning">
+				<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
+			</div>
 			<?php } ?>
+
 			<table class="form-table">
 				<tr valign="top">
 					<th scope="row"><label for="login_url"><?php esc_html_e( 'Login URL', 'shibboleth' ); ?></label></th>
@@ -305,7 +318,7 @@ function shibboleth_options_page() {
 								For most users, leaving these defaults is perfectly fine. If you are running a special server configuration that results in environment variables
 								being sent with the prefix <code>REDIRECT_</code>, you should select the "Redirected Environment Variables" option. If you are running
 								your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and, if at all possible, add a spoofkey below.
-								 If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.',
+								If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.',
 								'shibboleth'
 							)
 						);
@@ -426,19 +439,19 @@ function shibboleth_options_page() {
 						<p><?php echo wp_kses_post( __( 'Set the text of the button that appears on the <code>wp-login.php</code> page.', 'shibboleth' ) ); ?></p>
 					</td>
 				</tr>
-					<?php
-					/**
-					 * Action shibboleth_options_table
-					 * Add your own Shibboleth options items to the Shibboleth options table.
-					 * Note: This is in a <table> so add a <tr> with appropriate styling.
-					 *
-					 * @param $shib_headers array
-					 * @param $shib_roles array
-					 * @since 1.4
-					 * @todo support new structure of table and tabs
-					 */
-					// do_action( 'shibboleth_options_table', $shib_headers, $shib_roles );
-					?>
+				<?php
+				/**
+				 * Action shibboleth_options_table
+				 * Add your own Shibboleth options items to the Shibboleth options table.
+				 * Note: This is in a <table> so add a <tr> with appropriate styling.
+				 *
+				 * @param $shib_headers array
+				 * @param $shib_roles array
+				 * @since 1.4
+				 * @todo support new structure of table and tabs
+				 */
+				// do_action( 'shibboleth_options_table', $shib_headers, $shib_roles );.
+				?>
 			</table>
 
 			<br class="clear" />
@@ -470,117 +483,92 @@ function AttributeAccessMethod() {
 				}
 			</script>
 
-					<?php
-					break;
-				case 'user':
-					$constant = false;
-					list( $shib_headers, $shib_headers_constant ) = shibboleth_getoption( 'shibboleth_headers', array(), true, true );
-					$constant = $constant || $shib_headers_constant;
-					list( $create_accounts, $from_constant ) = shibboleth_getoption( 'shibboleth_create_accounts', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $auto_combine_accounts, $from_constant ) = shibboleth_getoption( 'shibboleth_auto_combine_accounts', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $manually_combine_accounts, $from_constant ) = shibboleth_getoption( 'shibboleth_manually_combine_accounts', false, false, true );
-					$constant = $constant || $from_constant;
-					?>
+				<?php
+			break;
+
+		case 'user':
+			$constant = false;
+			list( $shib_headers, $shib_headers_constant ) = shibboleth_getoption( 'shibboleth_headers', array(), true, true );
+			$constant = $constant || $shib_headers_constant;
+			list( $create_accounts, $from_constant ) = shibboleth_getoption( 'shibboleth_create_accounts', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $auto_combine_accounts, $from_constant ) = shibboleth_getoption( 'shibboleth_auto_combine_accounts', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $manually_combine_accounts, $from_constant ) = shibboleth_getoption( 'shibboleth_manually_combine_accounts', false, false, true );
+			$constant = $constant || $from_constant;
+			?>
 
 
 			<h2><?php esc_html_e( 'User Configuration', 'shibboleth' ); ?></h2>
-					<?php if ( $constant ) { ?>
-				<div class="notice notice-warning">
-					<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
-				</div>
+			<?php if ( $constant ) { ?>
+			<div class="notice notice-warning">
+				<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
+			</div>
 			<?php } ?>
 			<h3><?php esc_html_e( 'User Profile Data', 'shibboleth' ); ?></h3>
 
 			<p>
-					<?php
-					echo wp_kses_post(
-						__(
-							'Define the Shibboleth headers which should be mapped to each user profile attribute.  These
-							 header names are configured in <code>attribute-map.xml</code> (for Shibboleth 2.x) or
-							 <code>AAP.xml</code> (for Shibboleth 1.x).',
-							'shibboleth'
-						)
-					);
-					?>
+			<?php
+			echo wp_kses_post(
+				__(
+					'Define the Shibboleth headers which should be mapped to each user profile attribute.  These
+					 header names are configured in <code>attribute-map.xml</code> (for Shibboleth 2.x) or
+					 <code>AAP.xml</code> (for Shibboleth 1.x).',
+					'shibboleth'
+				)
+			);
+			?>
 			</p>
 
 			<p>
-					<?php esc_html_e( 'Wiki Documentation', 'shibboleth' ); ?>:
-				<a href="https://spaces.internet2.edu/display/SHIB/AttributeAcceptancePolicy" target="_blank">Shibboleth 1.3</a> |
-				<a href="https://spaces.internet2.edu/display/SHIB2/NativeSPAddAttribute" target="_blank">Shibboleth 2</a>
+				<?php esc_html_e( 'Wiki Documentation', 'shibboleth' ); ?>:
+				<a href="https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2070414225/XMLAttributeExtractorExamples" target="_blank">Shibboleth SP v3</a> |
+				<a href="https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072493/NativeSPAddAttribute" target="_blank">Shibboleth SP v2</a>
 			</p>
 
 			<table class="form-table optiontable editform" cellspacing="2" cellpadding="5">
+				<?php
+				foreach ( $shib_header_fields as $header_field => $header_field_label ) {
+					$header_field_id = 'shibboleth_' . $header_field;
+					$header_field_managed_id = 'shibboleth_managed_' . $header_field;
+					$header_field_value = isset( $shib_headers[ $header_field ]['name'] ) ? $shib_headers[ $header_field ]['name'] : '';
+					$header_field_managed = ! empty( $shib_headers[ $header_field ]['managed'] );
+					$header_field_managed_disabled = $shib_headers_constant;
+
+					// Username field is always managed and disabled.
+					if ( 'username' === $header_field ) {
+						$header_field_managed = true;
+						$header_field_managed_disabled = true;
+					}
+					?>
 				<tr valign="top">
-					<th scope="row"><label for="username"><?php esc_html_e( 'Username' ); ?></label></th>
+					<th scope="row">
+						<label for="<?php echo esc_attr( $header_field_id ); ?>"><?php echo esc_html( $header_field_label ); ?></label>
+					</th>
 					<td>
-						<input type="text" id="username" name="headers[username][name]" value="<?php echo esc_attr( $shib_headers['username']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
+						<input type="text" id="<?php echo esc_attr( $header_field_id ); ?>" name="headers[<?php echo esc_attr( $header_field ); ?>][name]" value="<?php echo esc_attr( $header_field_value ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
 					</td>
 					<td width="60%">
-						<input type="checkbox" id="username_managed" name="headers[username][managed]" <?php checked( true ); ?><?php disabled( true ); ?>/> <label for="username_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
-					</td>
-				</tr>
-				<tr valign="top">
-					<th scope="row"><label for="first_name"><?php esc_html_e( 'First name' ); ?></label></th>
-					<td>
-						<input type="text" id="first_name" name="headers[first_name][name]" value="<?php echo esc_attr( $shib_headers['first_name']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
-					</td>
-					<td>
-						<input type="checkbox" id="first_name_managed" name="headers[first_name][managed]" <?php isset( $shib_headers['first_name']['managed'] ) && checked( $shib_headers['first_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <label for="first_name_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
-					</td>
-				</tr>
-				<tr valign="top">
-					<th scope="row"><label for="last_name"><?php esc_html_e( 'Last name' ); ?></label></th>
-					<td>
-						<input type="text" id="last_name" name="headers[last_name][name]" value="<?php echo esc_attr( $shib_headers['last_name']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
-					</td>
-					<td>
-						<input type="checkbox" id="last_name_managed" name="headers[last_name][managed]" <?php isset( $shib_headers['last_name']['managed'] ) && checked( $shib_headers['last_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <label for="last_name_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
-					</td>
-				</tr>
-				<tr valign="top">
-					<th scope="row"><label for="nickname"><?php esc_html_e( 'Nickname' ); ?></label></th>
-					<td>
-						<input type="text" id="nickname" name="headers[nickname][name]" value="<?php echo esc_attr( $shib_headers['nickname']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
-					</td>
-					<td>
-						<input type="checkbox" id="nickname_managed" name="headers[nickname][managed]" <?php isset( $shib_headers['nickname']['managed'] ) && checked( $shib_headers['nickname']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?>/> <label for="nickname_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
-					</td>
-				</tr>
-				<tr valign="top">
-					<th scope="row"><label for="_display_name"><?php esc_html_e( 'Display name', 'shibboleth' ); ?></label></th>
-					<td>
-						<input type="text" id="_display_name" name="headers[display_name][name]" value="<?php echo esc_attr( $shib_headers['display_name']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
-					</td>
-					<td>
-						<input type="checkbox" id="display_name_managed" name="headers[display_name][managed]" <?php isset( $shib_headers['display_name']['managed'] ) && checked( $shib_headers['display_name']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?>/> <label for="display_name_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
-					</td>
-				</tr>
-				<tr valign="top">
-					<th scope="row"><label for="email"><?php esc_html_e( 'Email Address', 'shibboleth' ); ?></label></th>
-					<td>
-						<input type="text" id="email" name="headers[email][name]" value="<?php echo esc_attr( $shib_headers['email']['name'] ); ?>" <?php disabled( $shib_headers_constant ); ?>/>
-					</td>
-					<td>
-						<input type="checkbox" id="email_managed" name="headers[email][managed]" <?php isset( $shib_headers['email']['managed'] ) && checked( $shib_headers['email']['managed'], 'on' ); ?><?php disabled( $shib_headers_constant ); ?> /> <label for="email_managed"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
+						<input type="checkbox" id="<?php echo esc_attr( $header_field_managed_id ); ?>" name="headers[<?php echo esc_attr( $header_field ); ?>][managed]" <?php checked( $header_field_managed ); ?><?php disabled( $header_field_managed_disabled ); ?> /> <label for="<?php echo esc_attr( $header_field_managed_id ); ?>"><?php esc_html_e( 'Managed', 'shibboleth' ); ?></label>
 					</td>
 				</tr>
+					<?php
+				}
+				?>
 			</table>
 
 			<p>
-					<?php
-					echo wp_kses_post(
-						__(
-							'<em>Managed</em> profile fields are updated each time the user logs in using the current
-							 data provided by Shibboleth.  Additionally, users will be prevented from manually updating these
-							 fields from within WordPress.  Note that Shibboleth data is always used to populate the user
-							 profile during initial account creation.',
-							'shibboleth'
-						)
-					);
-					?>
+			<?php
+			echo wp_kses_post(
+				__(
+					'<em>Managed</em> profile fields are updated each time the user logs in using the current
+					 data provided by Shibboleth.  Additionally, users will be prevented from manually updating these
+					 fields from within WordPress.  Note that Shibboleth data is always used to populate the user
+					 profile during initial account creation.',
+					'shibboleth'
+				)
+			);
+			?>
 			</p>
 
 			<table class="form-table">
@@ -654,67 +642,68 @@ function AttributeAccessMethod() {
 				</tr>
 			</table>
 
-					<?php
-					break;
-				case 'authorization':
-					$constant = false;
-					list( $shib_roles, $shib_roles_constant ) = shibboleth_getoption( 'shibboleth_roles', array(), true, true );
-					$constant = $constant || $shib_roles_constant;
-					list( $default_role, $from_constant ) = shibboleth_getoption( 'shibboleth_default_role', false, false, true );
-					$constant = $constant || $from_constant;
-					list( $update_roles, $from_constant ) = shibboleth_getoption( 'shibboleth_update_roles', false, false, true );
-					$constant = $constant || $from_constant;
-					?>
+			<?php
+			break;
+
+		case 'authorization':
+			$constant = false;
+			list( $shib_roles, $shib_roles_constant ) = shibboleth_getoption( 'shibboleth_roles', array(), true, true );
+			$constant = $constant || $shib_roles_constant;
+			list( $default_role, $from_constant ) = shibboleth_getoption( 'shibboleth_default_role', false, false, true );
+			$constant = $constant || $from_constant;
+			list( $update_roles, $from_constant ) = shibboleth_getoption( 'shibboleth_update_roles', false, false, true );
+			$constant = $constant || $from_constant;
+			?>
 
 			<h2><?php esc_html_e( 'User Role Mappings', 'shibboleth' ); ?></h2>
-						<?php if ( $constant ) { ?>
-				<div class="notice notice-warning">
-					<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
-				</div>
-							<?php
-						}
+			<?php if ( $constant ) { ?>
+			<div class="notice notice-warning">
+				<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
+			</div>
+				<?php
+			}
 
-						/**
-						 * Filter shibboleth_role_mapping_override
-						 * Return true to override the default user role mapping form
-						 *
-						 * @param boolean - default value false
-						 * @return boolean - true if override
-						 * @since 1.4
-						 *
-						 * Use in conjunction with shibboleth_role_mapping_form action below
-						 */
-						if ( apply_filters( 'shibboleth_role_mapping_override', false ) === false ) {
-							?>
+			/**
+			 * Filter shibboleth_role_mapping_override
+			 * Return true to override the default user role mapping form
+			 *
+			 * @param boolean - default value false
+			 * @return boolean - true if override
+			 * @since 1.4
+			 *
+			 * Use in conjunction with shibboleth_role_mapping_form action below
+			 */
+			if ( apply_filters( 'shibboleth_role_mapping_override', false ) === false ) {
+				?>
 
-				<p>
-							<?php
-							esc_html_e(
-								'Users can be placed into one of WordPress\'s internal roles based on any
-								 attribute.  For example, you could define a special eduPersonEntitlement value
-								 that designates the user as a WordPress Administrator.  Or you could automatically
-								 place all users with an eduPersonAffiliation of "faculty" in the Author role.',
-								'shibboleth'
-							);
-							?>
-				</p>
+			<p>
+				<?php
+				esc_html_e(
+					'Users can be placed into one of WordPress\'s internal roles based on any
+					 attribute.  For example, you could define a special eduPersonEntitlement value
+					 that designates the user as a WordPress Administrator.  Or you could automatically
+					 place all users with an eduPersonAffiliation of "faculty" in the Author role.',
+					'shibboleth'
+				);
+				?>
+			</p>
 
-				<p>
-							<?php
-							echo wp_kses_post(
-								__(
-									'<strong>Current Limitations:</strong> While WordPress supports users having
-									 multiple roles, the Shibboleth plugin will only place the user in the highest ranking
-									 role.  Only a single header/value pair is supported for each user role.  This may be
-									 expanded in the future to support multiple header/value pairs or regular expression
-									 values.  In the meantime, you can use the <em>shibboleth_roles</em> and
-									 <em>shibboleth_user_role</em> WordPress filters to provide your own logic for assigning
-									 user roles.',
-									'shibboleth'
-								)
-							);
-							?>
-				</p>
+			<p>
+				<?php
+				echo wp_kses_post(
+					__(
+						'<strong>Current Limitations:</strong> While WordPress supports users having
+						 multiple roles, the Shibboleth plugin will only place the user in the highest ranking
+						 role.  Only a single header/value pair is supported for each user role.  This may be
+						 expanded in the future to support multiple header/value pairs or regular expression
+						 values.  In the meantime, you can use the <em>shibboleth_roles</em> and
+						 <em>shibboleth_user_role</em> WordPress filters to provide your own logic for assigning
+						 user roles.',
+						'shibboleth'
+					)
+				);
+				?>
+			</p>
 
 			<style type="text/css">
 				#role_mappings { padding: 0; }
@@ -735,26 +724,24 @@ function AttributeAccessMethod() {
 					</tr>
 				</thead>
 				<tbody>
-							<?php
-
-							foreach ( $wp_roles->role_names as $key => $name ) {
-								$header = '';
-								if ( isset( $shib_roles[ $key ]['header'] ) ) {
-									$header = $shib_roles[ $key ]['header'];
-								}
-								$value = '';
-								if ( isset( $shib_roles[ $key ]['value'] ) ) {
-									$value = $shib_roles[ $key ]['value'];
-								}
-								echo '
-				<tr valign="top">
-					<th scope="row">' . esc_html( $name ) . '</th>
-					<td><input type="text" id="role_' . esc_attr( $key ) . '_header" name="shibboleth_roles[' . esc_attr( $key ) . '][header]" value="' . esc_attr( $header ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
-					<td><input type="text" id="role_' . esc_attr( $key ) . '_value" name="shibboleth_roles[' . esc_attr( $key ) . '][value]" value="' . esc_attr( $value ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
-				</tr>';
-							}
-							?>
-
+				<?php
+				foreach ( $wp_roles->role_names as $key => $name ) {
+					$header = '';
+					if ( isset( $shib_roles[ $key ]['header'] ) ) {
+						$header = $shib_roles[ $key ]['header'];
+					}
+					$value = '';
+					if ( isset( $shib_roles[ $key ]['value'] ) ) {
+						$value = $shib_roles[ $key ]['value'];
+					}
+					echo '
+					<tr valign="top">
+						<th scope="row">' . esc_html( $name ) . '</th>
+						<td><input type="text" id="role_' . esc_attr( $key ) . '_header" name="shibboleth_roles[' . esc_attr( $key ) . '][header]" value="' . esc_attr( $header ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
+						<td><input type="text" id="role_' . esc_attr( $key ) . '_value" name="shibboleth_roles[' . esc_attr( $key ) . '][value]" value="' . esc_attr( $value ) . '" style="width: 100%" ' . disabled( $shib_roles_constant, true, false ) . '/></td>
+					</tr>';
+				}
+				?>
 				</tbody>
 			</table>
 
@@ -773,16 +760,16 @@ function AttributeAccessMethod() {
 						</select>
 
 						<p>
-							<?php
-							esc_html_e(
-								'If a user does not map into any of the roles above, they will
-								 be placed into the default role.  If there is no default role, the
-								 user will not be assigned a role when creating an account with
-								 Shibboleth.  If "(skip \'no role\' account creation)" is selected, the user
-								 will not be able to create an account with Shibboleth.',
-								'shibboleth'
-							);
-							?>
+						<?php
+						esc_html_e(
+							'If a user does not map into any of the roles above, they will
+							 be placed into the default role.  If there is no default role, the
+							 user will not be assigned a role when creating an account with
+							 Shibboleth.  If "(skip \'no role\' account creation)" is selected, the user
+							 will not be able to create an account with Shibboleth.',
+							'shibboleth'
+						);
+						?>
 						</p>
 					</td>
 				</tr>
@@ -795,47 +782,49 @@ function AttributeAccessMethod() {
 						<label for="update_roles"><?php esc_html_e( 'Use Shibboleth data to update user role mappings each time the user logs in.', 'shibboleth' ); ?></label>
 
 						<p>
-							<?php
-							echo wp_kses_post(
-								__(
-									'Be aware that if you use this option, you should <strong>not</strong> update user roles manually,
-									 since they will be overwritten from Shibboleth the next time the user logs in.  Note that Shibboleth data
-									 is always used to populate the initial user role during account creation.',
-									'shibboleth'
-								)
-							);
-							?>
+						<?php
+						echo wp_kses_post(
+							__(
+								'Be aware that if you use this option, you should <strong>not</strong> update user roles manually,
+								 since they will be overwritten from Shibboleth the next time the user logs in.  Note that Shibboleth data
+								 is always used to populate the initial user role during account creation.',
+								'shibboleth'
+							)
+						);
+						?>
 						</p>
 					</td>
 				</tr>
 			</table>
 
-							<?php
-						} else {
-							/**
-							 * Action shibboleth_role_mapping_form
-							 * Roll your own custom Shibboleth role mapping admin UI
-							 *
-							 * @param $shib_headers array
-							 * @param $shib_roles array
-							 * @since 1.4
-							 *
-							 * Use in conjunction with shibboleth_role_mapping_override filter
-							 */
-							do_action( 'shibboleth_role_mapping_form', $shib_headers, $shib_roles );
-						} // if ( form override )
-					break;
-				case 'logging':
-					$constant = false;
-					list( $shib_logging, $shib_logging_constant ) = shibboleth_getoption( 'shibboleth_logging', array(), true, true );
-					$constant = $constant || $shib_logging_constant;
-					?>
-		<h2><?php esc_html_e( 'Logging Configuration', 'shibboleth' ); ?></h2>
-					<?php if ( $constant ) { ?>
+				<?php
+			} else {
+				/**
+				 * Action shibboleth_role_mapping_form
+				 * Roll your own custom Shibboleth role mapping admin UI
+				 *
+				 * @param $shib_headers array
+				 * @param $shib_roles array
+				 * @since 1.4
+				 *
+				 * Use in conjunction with shibboleth_role_mapping_override filter
+				 */
+				do_action( 'shibboleth_role_mapping_form', $shib_headers, $shib_roles );
+			} // if ( form override )
+
+			break;
+
+		case 'logging':
+			$constant = false;
+			list( $shib_logging, $shib_logging_constant ) = shibboleth_getoption( 'shibboleth_logging', array(), true, true );
+			$constant = $constant || $shib_logging_constant;
+			?>
+			<h2><?php esc_html_e( 'Logging Configuration', 'shibboleth' ); ?></h2>
+			<?php if ( $constant ) { ?>
 			<div class="notice notice-warning">
 				<p><?php echo wp_kses_post( __( '<strong>Note:</strong> Some options below are defined in the <code>wp-config.php</code> file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?></p>
 			</div>
-		<?php } ?>
+			<?php } ?>
 			<table class="form-table">
 				<tr>
 					<th scope="row"><?php esc_html_e( 'Log Authentication Attempts', 'shibboleth' ); ?></th>
@@ -866,12 +855,12 @@ function AttributeAccessMethod() {
 					</td>
 				</tr>
 			</table>
-					<?php
-					break;
-			}
+			<?php
+			break;
+	}
 
-			wp_nonce_field( 'shibboleth_update_options' );
-			?>
+	wp_nonce_field( 'shibboleth_update_options' );
+	?>
 			<p class="submit">
 				<input type="submit" name="submit" class="button-primary" value="<?php esc_html_e( 'Save Changes' ); ?>" />
 			</p>
diff --git a/options-user.php b/options-user.php
index cbe7e43..838180f 100644
--- a/options-user.php
+++ b/options-user.php
@@ -158,7 +158,7 @@ function shibboleth_link_accounts_button( $user ) {
 					<?php } elseif ( defined( 'IS_PROFILE_PAGE' ) && ! IS_PROFILE_PAGE ) { ?>
 						<p class="description"><?php esc_html_e( 'This user account has not been linked to Shibboleth.', 'shibboleth' ); ?></p>
 					<?php } else { ?>
-						<a href="?shibboleth=link"><button type="button" class="button"><?php esc_html_e( 'Link Shibboleth Account', 'shibboleth' ); ?></button></a>
+						<a href="<?php echo esc_url( wp_nonce_url( '?shibboleth=link', 'shibboleth-link' ) ); ?>"><button type="button" class="button"><?php esc_html_e( 'Link Shibboleth Account', 'shibboleth' ); ?></button></a>
 						<p class="description"><?php esc_html_e( 'Your account has not been linked to Shibboleth. To link your account, click the button above.', 'shibboleth' ); ?></p>
 					<?php } ?>
 				</td>
@@ -182,16 +182,18 @@ function shibboleth_link_accounts() {
 	if ( is_admin() && 'profile' === $screen->id ) {
 		$user_id = get_current_user_id();
 
-		// If profile page has ?shibboleth=link action and current user can edit their profile, proceed
+		// If profile page has ?shibboleth=link action and current user can edit their profile, proceed.
 		if ( isset( $_GET['shibboleth'] ) && 'link' === $_GET['shibboleth'] && current_user_can( 'edit_user', $user_id ) ) {
+			check_admin_referer( 'shibboleth-link' );
+
 			$shib_logging = shibboleth_getoption( 'shibboleth_logging', false, true );
 			$allowed = shibboleth_getoption( 'shibboleth_manually_combine_accounts', 'disallow' );
 
-			// If user's account is not already linked with shibboleth, proceed
+			// If user's account is not already linked with shibboleth, proceed.
 			if ( ! get_user_meta( $user_id, 'shibboleth_account' ) ) {
-				// If manual account merging is enabled, proceed
+				// If manual account merging is enabled, proceed.
 				if ( 'allow' === $allowed || 'bypass' === $allowed ) {
-					// If there is an existing shibboleth session, proceed
+					// If there is an existing shibboleth session, proceed.
 					if ( shibboleth_session_active() ) {
 						$shib_headers = shibboleth_getoption( 'shibboleth_headers', false, true );
 
@@ -200,7 +202,7 @@ function shibboleth_link_accounts() {
 
 						$user = get_user_by( 'id', $user_id );
 
-						// If username and email match, safe to merge
+						// If username and email match, safe to merge.
 						if ( $user->user_login === $username && strtolower( $user->user_email ) === strtolower( $email ) ) {
 							update_user_meta( $user->ID, 'shibboleth_account', true );
 							if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
@@ -208,10 +210,10 @@ function shibboleth_link_accounts() {
 							}
 							wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' );
 							exit;
-							// If username matches, check if there is a conflict with the email
+							// If username matches, check if there is a conflict with the email.
 						} elseif ( $user->user_login === $username ) {
 								$prevent_conflict = get_user_by( 'email', $email );
-								// If username matches and there is no existing account with the email, safe to merge
+								// If username matches and there is no existing account with the email, safe to merge.
 							if ( ! $prevent_conflict->ID ) {
 								update_user_meta( $user->ID, 'shibboleth_account', true );
 								if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
@@ -219,7 +221,7 @@ function shibboleth_link_accounts() {
 								}
 								wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' );
 								exit;
-								// If username matches and there is an existing account with the email, fail
+								// If username matches and there is an existing account with the email, fail.
 							} else {
 								if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
 									error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: An account already exists with the email: ' . $email . ' .' );
@@ -227,10 +229,10 @@ function shibboleth_link_accounts() {
 								wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' );
 								exit;
 							}
-							// If email matches and username bypass is enabled, check if there is a conflict with the username
+							// If email matches and username bypass is enabled, check if there is a conflict with the username.
 						} elseif ( strtolower( $user->user_email ) === strtolower( $email ) && 'bypass' === $allowed ) {
 							$prevent_conflict = get_user_by( 'user_login', $username );
-							// If email matches and there is no existing account with the username, safe to merge
+							// If email matches and there is no existing account with the username, safe to merge.
 							if ( ! $prevent_conflict->ID ) {
 								update_user_meta( $user->ID, 'shibboleth_account', true );
 								if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
@@ -238,7 +240,7 @@ function shibboleth_link_accounts() {
 								}
 								wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' );
 								exit;
-								// If there is an existing account with the email, fail
+								// If there is an existing account with the email, fail.
 							} else {
 								if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
 									error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts using username bypass. Reason: An account already exists with the email: ' . $email . ' .' );
@@ -246,7 +248,7 @@ function shibboleth_link_accounts() {
 								wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' );
 								exit;
 							}
-							// If no other conditions are met, fail
+							// If no other conditions are met, fail.
 						} else {
 							if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
 								error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: Username and email do not match what is provided by attributes. Username provided by attribute is: ' . $username . ' and email provided by attribute is ' . $email . '.' );
@@ -255,13 +257,13 @@ function shibboleth_link_accounts() {
 							exit;
 						}
 						// If there is no existing shibboleth session, kick to the shibboleth_session_initiator_url
-						// and redirect to this page with the ?shibboleth=link action
+						// and redirect to this page with the ?shibboleth=link action.
 					} else {
-						$initiator_url = shibboleth_session_initiator_url( get_edit_user_link() . '?shibboleth=link' );
+						$initiator_url = shibboleth_session_initiator_url( wp_nonce_url( get_edit_user_link() . '?shibboleth=link', 'shibboleth-link' ) );
 						wp_redirect( $initiator_url );
 						exit;
 					}
-					// If manual merging is disabled, fail
+					// If manual merging is disabled, fail.
 				} else {
 					if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
 						error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: Manual account merging is disabled.' );
@@ -269,7 +271,7 @@ function shibboleth_link_accounts() {
 					wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' );
 					exit;
 				}
-				// If account is already merged, warn
+				// If account is already merged, warn.
 			} else {
 				if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {
 					error_log( '[Shibboleth WordPress Plugin Logging] WARN: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: User\'s account is already merged.' );
diff --git a/shibboleth.php b/shibboleth.php
index 1e1ba7d..578022f 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -42,23 +42,23 @@
  *
  * @since 2.1
  * @param string $option Option identifier.
- * @param bool $default Default value.
- * @param bool $array If we expect the value to be an array.
- * @param bool $compact If you want the constant and value returned as an array.
+ * @param bool   $default Default value.
+ * @param bool   $array If we expect the value to be an array.
+ * @param bool   $compact If you want the constant and value returned as an array.
  * @return mixed
  */
 function shibboleth_getoption( $option, $default = false, $array = false, $compact = false ) {
-	// If a constant is defined with the provided option name, get the value of the constant
+	// If a constant is defined with the provided option name, get the value of the constant.
 	if ( defined( strtoupper( $option ) ) ) {
 		$value = constant( strtoupper( $option ) );
 		$constant = true;
 	} else {
-		// If no constant is set, just get the value from get_site_option()
+		// If no constant is set, just get the value from get_site_option().
 		$value = get_site_option( $option, $default );
 		$constant = false;
 	}
 
-	// If compact is set to true, we compact $value and $constant together for easy use
+	// If compact is set to true, we compact $value and $constant together for easy use.
 	if ( $compact ) {
 		return array(
 			$value,
@@ -66,7 +66,7 @@ function shibboleth_getoption( $option, $default = false, $array = false, $compa
 			'value' => $value,
 			'constant' => $constant,
 		);
-		// Otherwise, just return the $value
+		// Otherwise, just return the $value.
 	} else {
 		return $value;
 	}
@@ -84,38 +84,38 @@ function shibboleth_getoption( $option, $default = false, $array = false, $compa
  */
 function shibboleth_getenv( $var ) {
 	// Get the specified shibboleth attribute access method; if one isn't specified
-	// simply use standard environment variables since they're the safest
+	// simply use standard environment variables since they're the safest.
 	$method = shibboleth_getoption( 'shibboleth_attribute_access_method', 'standard' );
 	$fallback = shibboleth_getoption( 'shibboleth_attribute_access_method_fallback' );
 
 	switch ( $method ) {
-		// Use standard by default for security
+		// Use standard by default for security.
 		case 'standard':
 			$var_method = '';
 			// Disable fallback to prevent the same variables from being checked twice.
 			$fallback = false;
 			break;
-		// If specified, use redirect
+		// If specified, use redirect.
 		case 'redirect':
 			$var_method = 'REDIRECT_';
 			break;
-		// If specified, use http
+		// If specified, use http.
 		case 'http':
 			$var_method = 'HTTP_';
 			break;
-		// If specified, use the custom specified method
+		// If specified, use the custom specified method.
 		case 'custom':
 			$custom = shibboleth_getoption( 'shibboleth_attribute_custom_access_method', '' );
 			$var_method = $custom;
 			break;
-		// Otherwise, fall back to standard for security
+		// Otherwise, fall back to standard for security.
 		default:
 			$var_method = '';
 			// Disable fallback to prevent the same variables from being checked twice.
 			$fallback = false;
 	}
 
-	// Using the selected attribute access method, check all possible cases
+	// Using the selected attribute access method, check all possible cases.
 	$var_under = str_replace( '-', '_', $var );
 	$var_upper = strtoupper( $var );
 	$var_under_upper = strtoupper( $var_under );
@@ -127,7 +127,7 @@ function shibboleth_getenv( $var ) {
 		$var_method . $var_under_upper => true,
 	);
 
-	// If fallback is enabled, we will add the standard environment variables to the end of the array to allow for fallback
+	// If fallback is enabled, we will add the standard environment variables to the end of the array to allow for fallback.
 	if ( $fallback ) {
 		$fallback_check_vars = array(
 			$var => true,
@@ -141,7 +141,7 @@ function shibboleth_getenv( $var ) {
 
 	foreach ( $check_vars as $check_var => $true ) {
 		if ( isset( $_SERVER[ $check_var ] ) && false !== $_SERVER[ $check_var ] ) {
-			return $_SERVER[ $check_var ];
+			return sanitize_text_field( wp_unslash( $_SERVER[ $check_var ] ) );
 		}
 	}
 
@@ -162,7 +162,7 @@ function shibboleth_auto_login() {
 
 		$userobj = wp_signon( '', true );
 		if ( ! is_wp_error( $userobj ) ) {
-			wp_safe_redirect( $_SERVER['REQUEST_URI'] );
+			wp_safe_redirect( isset( $_SERVER['REQUEST_URI'] ) ? wp_unslash( $_SERVER['REQUEST_URI'] ) : '' );
 			exit();
 		}
 	}
@@ -358,8 +358,8 @@ function shibboleth_migrate_old_data() {
  */
 function shibboleth_admin_hooks() {
 	if ( defined( 'WP_ADMIN' ) && WP_ADMIN === true ) {
-		require_once dirname( __FILE__ ) . '/options-admin.php';
-		require_once dirname( __FILE__ ) . '/options-user.php';
+		require_once __DIR__ . '/options-admin.php';
+		require_once __DIR__ . '/options-user.php';
 	}
 }
 add_action( 'init', 'shibboleth_admin_hooks' );
@@ -418,15 +418,16 @@ function shibboleth_session_active( $auto_login = false ) {
  *
  * @since 1.0
  * @param null|WP_User|WP_Error $user WP_User if the user is authenticated. WP_Error or null otherwise.
- * @param string $username Username or email address.
- * @param string $password User password.
+ * @param string                $username Username or email address.
+ * @param string                $password User password.
  */
 function shibboleth_authenticate( $user, $username, $password ) {
 	if ( shibboleth_session_active() ) {
 		return shibboleth_authenticate_user();
 	} else {
 		if ( isset( $_REQUEST['redirect_to'] ) ) {
-			$initiator_url = shibboleth_session_initiator_url( $_REQUEST['redirect_to'] );
+			$redirect_to = sanitize_url( wp_unslash( $_REQUEST['redirect_to'] ) );
+			$initiator_url = shibboleth_session_initiator_url( $redirect_to );
 		} else {
 			$initiator_url = shibboleth_session_initiator_url();
 		}
@@ -515,7 +516,7 @@ function shibboleth_logout() {
 function shibboleth_session_initiator_url( $redirect = null ) {
 
 	// first build the target URL.  This is the WordPress URL the user will be returned to after Shibboleth
-	// is done, and will handle actually logging the user into WordPress using the data provided by Shibboleth
+	// is done, and will handle actually logging the user into WordPress using the data provided by Shibboleth.
 	if ( function_exists( 'switch_to_blog' ) ) {
 		if ( ! empty( $GLOBALS['current_blog']->blog_id ) && $GLOBALS['current_blog']->blog_id !== $GLOBALS['current_site']->site_id ) {
 			switch_to_blog( $GLOBALS['current_blog']->blog_id );
@@ -535,7 +536,7 @@ function shibboleth_session_initiator_url( $redirect = null ) {
 		$target = add_query_arg( 'redirect_to', rawurlencode( $redirect ), $target );
 	}
 
-	// now build the Shibboleth session initiator URL
+	// now build the Shibboleth session initiator URL.
 	$initiator_url = shibboleth_getoption( 'shibboleth_login_url' );
 
 	$initiator_url = add_query_arg( 'target', rawurlencode( $target ), $initiator_url );
@@ -613,7 +614,7 @@ function shibboleth_authenticate_user() {
 		return $authenticate;
 	}
 
-	// look up existing account by username, with email as a fallback
+	// look up existing account by username, with email as a fallback.
 	$user_by = 'username';
 	$user = get_user_by( 'login', $username );
 	if ( ! $user ) {
@@ -621,7 +622,7 @@ function shibboleth_authenticate_user() {
 		$user = get_user_by( 'email', $email );
 	}
 
-	// if this account is not a Shibboleth account, then do account combine (if allowed)
+	// if this account is not a Shibboleth account, then do account combine (if allowed).
 	if ( is_object( $user ) && $user->ID && ! get_user_meta( $user->ID, 'shibboleth_account' ) ) {
 		$do_account_combine = false;
 		if ( 'username' === $user_by && ( 'allow' === $auto_combine_accounts || 'allow' === $manually_combine_accounts ) ) {
@@ -648,7 +649,7 @@ function shibboleth_authenticate_user() {
 		}
 	}
 
-	// create account if new user
+	// create account if new user.
 	if ( ! $user ) {
 		$user = shibboleth_create_new_user( $username, $email );
 		if ( is_wp_error( $user ) ) {
@@ -664,7 +665,7 @@ function shibboleth_authenticate_user() {
 		return new WP_Error( 'missing_data', $error_message );
 	}
 
-	// update user data
+	// update user data.
 	shibboleth_update_user_data( $user->ID );
 
 	$update = shibboleth_getoption( 'shibboleth_update_roles' );
@@ -703,7 +704,7 @@ function shibboleth_create_new_user( $user_login, $user_email ) {
 			return null;
 		}
 
-		// create account and flag as a shibboleth account
+		// create account and flag as a shibboleth account.
 		$user_id = wp_insert_user(
 			array(
 				'user_login' => $user_login,
@@ -720,7 +721,7 @@ function shibboleth_create_new_user( $user_login, $user_email ) {
 			$user = new WP_User( $user_id );
 			update_user_meta( $user->ID, 'shibboleth_account', true );
 
-			// always update user data and role on account creation
+			// always update user data and role on account creation.
 			shibboleth_update_user_data( $user->ID, true );
 			$user->set_role( $user_role );
 			do_action( 'shibboleth_set_user_roles', $user );
@@ -815,7 +816,7 @@ function shibboleth_get_managed_user_fields() {
  * the 'force_update' parameter is true, only the user fields marked as 'managed' fields will be
  * updated.
  *
- * @param int $user_id ID of the user to update.
+ * @param int     $user_id ID of the user to update.
  * @param boolean $force_update force update of user data, regardless of 'managed' flag on fields.
  * @uses apply_filters() Calls 'shibboleth_user_*' before setting user attributes,
  *       where '*' is one of: login, nicename, first_name, last_name,
@@ -893,11 +894,13 @@ function shibboleth_disable_login() {
 
 	if ( $disable && ! $bypass ) {
 		if ( isset( $_GET['action'] ) && 'lostpassword' === $_GET['action'] ) {
-			// Disable the ability to reset passwords from wp-login.php
+			// Disable the ability to reset passwords from wp-login.php.
 			add_filter( 'allow_password_reset', '__return_false' );
-		} elseif ( isset( $_POST['log'] ) || isset( $_POST['user_login'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
-			// Disable the ability to login using local authentication
+		} elseif ( isset( $_POST['log'] ) || isset( $_POST['user_login'] ) ) {
+			// Disable the ability to login using local authentication.
 			wp_die( esc_html( __( 'Shibboleth authentication is required.', 'shibboleth' ) ) );
+
+			check_admin_referer( 'log-in' );
 		}
 	}
 }

From c51f5226d6629b9cff07c2ab6ad68e281d7c98ca Mon Sep 17 00:00:00 2001
From: Jonathan Champ <jrchamp@ncsu.edu>
Date: Fri, 7 Apr 2023 15:27:26 -0400
Subject: [PATCH 3/5] wpcs: use esc_url_raw() for now until WPCS likes
 sanitize_url() again

---
 options-admin.php | 8 ++++----
 shibboleth.php    | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/options-admin.php b/options-admin.php
index 4b28462..b63ec02 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -89,19 +89,19 @@ function shibboleth_options_page() {
 					update_site_option( 'shibboleth_attribute_custom_access_method', sanitize_text_field( wp_unslash( $_POST['attribute_custom_access'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_LOGIN_URL' ) && isset( $_POST['login_url'] ) ) {
-					update_site_option( 'shibboleth_login_url', sanitize_url( wp_unslash( $_POST['login_url'] ) ) );
+					update_site_option( 'shibboleth_login_url', esc_url_raw( wp_unslash( $_POST['login_url'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_LOGOUT_URL' ) && isset( $_POST['logout_url'] ) ) {
-					update_site_option( 'shibboleth_logout_url', sanitize_url( wp_unslash( $_POST['logout_url'] ) ) );
+					update_site_option( 'shibboleth_logout_url', esc_url_raw( wp_unslash( $_POST['logout_url'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_SPOOF_KEY' ) && isset( $_POST['spoofkey'] ) ) {
 					update_site_option( 'shibboleth_spoof_key', sanitize_text_field( wp_unslash( $_POST['spoofkey'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_PASSWORD_CHANGE_URL' ) && isset( $_POST['password_change_url'] ) ) {
-					update_site_option( 'shibboleth_password_change_url', sanitize_url( wp_unslash( $_POST['password_change_url'] ) ) );
+					update_site_option( 'shibboleth_password_change_url', esc_url_raw( wp_unslash( $_POST['password_change_url'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_PASSWORD_RESET_URL' ) && isset( $_POST['password_reset_url'] ) ) {
-					update_site_option( 'shibboleth_password_reset_url', sanitize_url( wp_unslash( $_POST['password_reset_url'] ) ) );
+					update_site_option( 'shibboleth_password_reset_url', esc_url_raw( wp_unslash( $_POST['password_reset_url'] ) ) );
 				}
 				if ( ! defined( 'SHIBBOLETH_DEFAULT_TO_SHIB_LOGIN' ) ) {
 					update_site_option( 'shibboleth_default_to_shib_login', ! empty( $_POST['default_login'] ) );
diff --git a/shibboleth.php b/shibboleth.php
index 578022f..7259a15 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -426,7 +426,7 @@ function shibboleth_authenticate( $user, $username, $password ) {
 		return shibboleth_authenticate_user();
 	} else {
 		if ( isset( $_REQUEST['redirect_to'] ) ) {
-			$redirect_to = sanitize_url( wp_unslash( $_REQUEST['redirect_to'] ) );
+			$redirect_to = esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) );
 			$initiator_url = shibboleth_session_initiator_url( $redirect_to );
 		} else {
 			$initiator_url = shibboleth_session_initiator_url();

From 709f103cd6011a77423d56f9e329ee52ab7fff16 Mon Sep 17 00:00:00 2001
From: Jonathan Champ <jrchamp@ncsu.edu>
Date: Fri, 7 Apr 2023 16:05:24 -0400
Subject: [PATCH 4/5] doc: Update Shibboleth external documentation links

---
 options-admin.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/options-admin.php b/options-admin.php
index b63ec02..e788012 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -265,8 +265,8 @@ function shibboleth_options_page() {
 						);
 						?>
 						<br /><?php esc_html_e( 'Wiki Documentation', 'shibboleth' ); ?>:
-						<a href="https://spaces.internet2.edu/display/SHIB/SessionInitiator" target="_blank">Shibboleth 1.3</a> |
-						<a href="https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator" target="_blank">Shibboleth 2</a>
+						<a href="https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334685/SessionInitiator" target="_blank">Shibboleth SP v3</a> |
+						<a href="https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072500/NativeSPSessionInitiator" target="_blank">Shibboleth SP v2</a>
 					</td>
 				</tr>
 				<tr valign="top">
@@ -283,8 +283,8 @@ function shibboleth_options_page() {
 						);
 						?>
 						<br /><?php esc_html_e( 'Wiki Documentation', 'shibboleth' ); ?>:
-						<a href="https://spaces.internet2.edu/display/SHIB/SPMainConfig" target="_blank">Shibboleth 1.3</a> |
-						<a href="https://spaces.internet2.edu/display/SHIB2/NativeSPLogoutInitiator" target="_blank">Shibboleth 2</a>
+						<a href="https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334687/LogoutInitiator" target="_blank">Shibboleth SP v3</a> |
+						<a href="https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072384/NativeSPLogoutInitiator" target="_blank">Shibboleth SP v2</a>
 					</td>
 				</tr>
 				<tr valign="top">

From fe504dbb82d3d6b813850601e091297d47622fb7 Mon Sep 17 00:00:00 2001
From: Jonathan Champ <jrchamp@ncsu.edu>
Date: Fri, 7 Apr 2023 16:23:07 -0400
Subject: [PATCH 5/5] release: v2.4.2

---
 readme.txt     | 10 ++++++++--
 shibboleth.php |  4 ++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/readme.txt b/readme.txt
index fa2586c..111af14 100644
--- a/readme.txt
+++ b/readme.txt
@@ -2,9 +2,9 @@
 Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka, jrchamp, dericcrago, bshelton229, Alhrath, dandalpiaz
 Tags: shibboleth, authentication, login, saml
 Requires at least: 4.0
-Tested up to: 6.1
+Tested up to: 6.2
 Requires PHP: 5.6
-Stable tag: 2.4.1
+Stable tag: 2.4.2
 
 Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider.
 
@@ -197,6 +197,12 @@ This update brings with it a major change to the way Shibboleth attributes are a
 This update brings with it a major change to the way Shibboleth attributes are accessed. For most users, no additional configuration will be necessary. If you are using a specialized server configuration, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that results in environment variables being sent with the prefix REDIRECT_, you should see the changelog for additional details: https://wordpress.org/plugins/shibboleth/#developers
 
 == Changelog ==
+= version 2.4.2 (2023-04-07) =
+ - Documentation: Updated Shibboleth documentation external links [#92](https://github.com/michaelryanmcneill/shibboleth/pull/92)
+ - Accessibility: Improve labels and heading structure on admin pages [#92](https://github.com/michaelryanmcneill/shibboleth/pull/92)
+ - Security: Improve input sanitization and use of nonces [#92](https://github.com/michaelryanmcneill/shibboleth/pull/92)
+ - CI: Switch GitHub Action workflows to check against WordPress coding standard [#92](https://github.com/michaelryanmcneill/shibboleth/pull/92)
+
 = version 2.4.1 (2023-03-20) =
  - Compatibility: Fix redirect_to issues on WordPress 6; thanks @masteradhoc, @caosborne89, @jakeparis [#88](https://github.com/michaelryanmcneill/shibboleth/pull/88)
  - Accessibility: Improve color contrast on login page [#89](https://github.com/michaelryanmcneill/shibboleth/pull/89)
diff --git a/shibboleth.php b/shibboleth.php
index 7259a15..88a214e 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -9,7 +9,7 @@
  * Plugin URI: https://wordpress.org/plugins/shibboleth/
  * Description: Easily externalize user authentication to a <a href="https://www.incommon.org/software/shibboleth/">Shibboleth</a> Service Provider
  * Author: Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris
- * Version: 2.4.1
+ * Version: 2.4.2
  * Requires PHP: 5.6
  * Requires at least: 4.0
  * License: Apache 2 (https://www.apache.org/licenses/LICENSE-2.0.html)
@@ -18,7 +18,7 @@
 
 define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.0' );
 define( 'SHIBBOLETH_MINIMUM_PHP_VERSION', '5.6' );
-define( 'SHIBBOLETH_PLUGIN_VERSION', '2.4.1' );
+define( 'SHIBBOLETH_PLUGIN_VERSION', '2.4.2' );
 
 /**
  * Determine if this is a new install or upgrade and, if so, run the