diff --git a/features/bootstrap/MfaContext.php b/features/bootstrap/MfaContext.php
index 252c7f4..3a5ab1b 100644
--- a/features/bootstrap/MfaContext.php
+++ b/features/bootstrap/MfaContext.php
@@ -662,6 +662,7 @@ public function iShouldSeeAPromptForAManagerRescueCode()
         $pageHtml = $page->getHtml();
         Assert::assertContains('Ask Your Recovery Contact for Help', $pageHtml);
         Assert::assertContains('Enter code', $pageHtml);
+        Assert::assertContains('m*****r@e******.c**', $pageHtml);
     }
 
     /**
diff --git a/modules/expirychecker/src/Auth/Process/ExpiryDate.php b/modules/expirychecker/src/Auth/Process/ExpiryDate.php
index 371b470..8503f16 100644
--- a/modules/expirychecker/src/Auth/Process/ExpiryDate.php
+++ b/modules/expirychecker/src/Auth/Process/ExpiryDate.php
@@ -239,8 +239,7 @@ public function redirect2PasswordChange(
         string $passwordChangeUrl,
         string $change_pwd_session,
         int    $expiryTimestamp
-    ): void
-    {
+    ): void {
         $sessionType = 'expirychecker';
         /* Save state and redirect. */
         $state['expiresAtTimestamp'] = $expiryTimestamp;
diff --git a/modules/expirychecker/src/Utilities.php b/modules/expirychecker/src/Utilities.php
index 937766d..871d388 100644
--- a/modules/expirychecker/src/Utilities.php
+++ b/modules/expirychecker/src/Utilities.php
@@ -30,10 +30,14 @@ public static function getUrlDomain(string $in_url, string $start_marker = '//',
      *
      * Returns 1 if the domains of the two urls are the same and 0 otherwise.
      */
-    public static function haveSameDomain(string $url1, string $start_marker1,
-                                          string $end_marker1, string $url2, string $start_marker2 = '//',
-                                          string $end_marker2 = '/'): int
-    {
+    public static function haveSameDomain(
+        string $url1,
+        string $start_marker1,
+        string $end_marker1,
+        string $url2,
+        string $start_marker2 = '//',
+        string $end_marker2 = '/'
+    ): int {
         $domain1 = self::getUrlDomain($url1, $start_marker1, $end_marker1);
         $domain2 = self::getUrlDomain($url2, $start_marker2, $end_marker2);
 
@@ -53,9 +57,12 @@ public static function haveSameDomain(string $url1, string $start_marker1,
      *  for apex to use. If the domains of the change password url and the
      *  original url are different, it appends the StateId to the output.
      */
-    public static function convertOriginalUrl(string $passwordChangeUrl,
-                                              string $originalUrlParam, string $originalUrl, string $stateId): string
-    {
+    public static function convertOriginalUrl(
+        string $passwordChangeUrl,
+        string $originalUrlParam,
+        string $originalUrl,
+        string $stateId
+    ): string {
         $sameDomain = self::haveSameDomain($passwordChangeUrl,
             '//', '/', $originalUrl, '//', '/');
         $original = $originalUrlParam . ":" . urlencode($originalUrl);
diff --git a/modules/material/themes/material/default/header.twig b/modules/material/themes/material/default/header.twig
index 0296a66..4d95fb5 100644
--- a/modules/material/themes/material/default/header.twig
+++ b/modules/material/themes/material/default/header.twig
@@ -7,7 +7,7 @@
 
 {% if not (analyticsTrackingId ?? null) is empty %}
   <!-- Google tag (gtag.js) -->
-  <script async src="https://www.googletagmanager.com/gtag/js?id={{ trackingId }}"></script>
+  <script async src="https://www.googletagmanager.com/gtag/js?id={{ analyticsTrackingId }}"></script>
   <script>
     window.dataLayer = window.dataLayer || [];
 
@@ -17,7 +17,7 @@
 
     gtag('js', new Date());
 
-    gtag('config', '{{ trackingId }}');
+    gtag('config', '{{ analyticsTrackingId }}');
   </script>
 {% endif %}
 
diff --git a/modules/material/themes/material/default/selectidp-links.twig b/modules/material/themes/material/default/selectidp-links.twig
index 3c3a509..7915c60 100644
--- a/modules/material/themes/material/default/selectidp-links.twig
+++ b/modules/material/themes/material/default/selectidp-links.twig
@@ -10,7 +10,7 @@
       const idpInput = document.createElement('input');
 
       idpInput.type = 'hidden';
-      idpInput.name = '{{ returnIDParam|e }}';
+      idpInput.name = '{{ returnIDParam|e('js')|raw }}';
       idpInput.value = id;
 
       document.querySelector('form').appendChild(idpInput);
@@ -39,7 +39,7 @@
 
       {% if not helpCenterUrl ?? '' is empty %}
         <nav class="mdl-navigation">
-          <a href="{{ helpCenterUrl }}" target="_blank" rel="noopener" class="mdl-navigation__link">
+          <a href="{{ helpCenterUrl|e(html_attr) }}" target="_blank" rel="noopener" class="mdl-navigation__link">
             {{ '{selectidp-links:help}'|trans }}
           </a>
         </nav>
@@ -51,9 +51,9 @@
     {% include 'announcement.twig' %}
 
     <form layout-children="row" child-spacing="space-around">
-      <input type="hidden" name="entityID" value="{{ entityID|e }}"/>
-      <input type="hidden" name="return" value="{{ return|e }}"/>
-      <input type="hidden" name="returnIDParam" value="{{ returnIDParam|e }}"/>
+      <input type="hidden" name="entityID" value="{{ entityID|e('html_attr') }}"/>
+      <input type="hidden" name="return" value="{{ return|e('html_attr') }}"/>
+      <input type="hidden" name="returnIDParam" value="{{ returnIDParam|e('html_attr') }}"/>
 
       {% for idp in idplist %}
         <div
@@ -63,14 +63,14 @@
           <div class="mdl-card__media white-bg fixed-height">
             <button
               class="mdl-button logo-container fill-parent"
-              onclick="setSelectedIdp('{{ idp.entityid|e }}')"
-              name="idp_{{ idp.entityid }}"
+              onclick="setSelectedIdp('{{ idp.entityid|e('js')|raw }}')"
+              name="idp_{{ idp.entityid|e('html_attr') }}"
             >
               <div class="image-wrapper">
                 <img
                   class="logo"
-                  id="{{ idp.entityid|e }}"
-                  src="{{ idp.iconurl is defined ? idp.iconurl : 'default-logo.png' }}"
+                  id="{{ idp.entityid|e('html_attr') }}"
+                  src="{{ idp.iconurl is defined ? idp.iconurl|e('html_attr') : 'default-logo.png' }}"
                 >
               </div>
             </button>
diff --git a/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig b/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig
index ee7009f..a2c3c87 100644
--- a/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig
+++ b/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig
@@ -29,7 +29,7 @@
 
         <div class="mdl-card__title center">
           <p class="mdl-card__subtitle-text">
-            {{ '{mfa:manager_sent}'|trans({'{managerEmail': managerEmail}) }}
+            {{ '{mfa:manager_sent}'|trans({'%managerEmail%': managerEmail}) }}
           </p>
         </div>
 
@@ -60,7 +60,7 @@
 
         <div class="mdl-card__actions" layout-children="row">
           <span flex></span>
-          <button name="submitMfa" class="mdl-button mdl-button--raised mdl-button--primary">
+          <button name="submitMfa" type="submit" class="mdl-button mdl-button--raised mdl-button--primary">
             {{ '{mfa:button_verify}'|trans }}
           </button>
         </div>
diff --git a/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig b/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig
index 5be2e29..7fd9a92 100644
--- a/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig
+++ b/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig
@@ -58,7 +58,7 @@
 
         <div class="mdl-card__actions" layout-children="row">
           <span flex></span>
-          <button name="submitMfa" class="mdl-button mdl-button--raised mdl-button--primary">
+          <button name="submitMfa" type="submit" class="mdl-button mdl-button--raised mdl-button--primary">
             {{ '{mfa:button_verify}'|trans }}
           </button>
         </div>
diff --git a/modules/mfa/src/Auth/Process/Mfa.php b/modules/mfa/src/Auth/Process/Mfa.php
index 74ad757..734e773 100644
--- a/modules/mfa/src/Auth/Process/Mfa.php
+++ b/modules/mfa/src/Auth/Process/Mfa.php
@@ -445,8 +445,7 @@ public static function validateMfaSubmission(
         LoggerInterface $logger,
         string          $mfaType,
         string          $rpOrigin
-    ): string
-    {
+    ): string {
         if (empty($mfaId)) {
             return 'No MFA ID was provided.';
         } elseif (empty($employeeId)) {
@@ -709,8 +708,7 @@ public static function isRememberMeCookieValid(
         string $expireDate,
         array  $mfaOptions,
         array  $state
-    ): bool
-    {
+    ): bool {
         $rememberSecret = Env::requireEnv('REMEMBER_ME_SECRET');
         if (!empty($cookieHash) && !empty($expireDate) && is_numeric($expireDate)) {
             // Check if value of expireDate is in future
@@ -736,8 +734,7 @@ public static function generateRememberMeCookieString(
         string $employeeId,
         int    $expireDate,
         array  $mfaOptions
-    ): string
-    {
+    ): string {
         $allMfaIds = '';
         foreach ($mfaOptions as $opt) {
             if ($opt['type'] !== 'manager') {
@@ -764,8 +761,7 @@ protected static function redirectToLowOnBackupCodesNag(
         array  &$state,
         string $employeeId,
         int    $numBackupCodesRemaining
-    ): void
-    {
+    ): void {
         $state['employeeId'] = $employeeId;
         $state['numBackupCodesRemaining'] = (string)$numBackupCodesRemaining;
 
@@ -807,8 +803,7 @@ public static function setRememberMeCookies(
         string $employeeId,
         array  $mfaOptions,
         string $rememberDuration = '+30 days'
-    ): void
-    {
+    ): void {
         $rememberSecret = Env::requireEnv('REMEMBER_ME_SECRET');
         $secureCookie = Env::get('SECURE_COOKIE', true);
         $expireDate = strtotime($rememberDuration);
diff --git a/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php b/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php
index 7c3ec95..fd443ea 100644
--- a/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php
+++ b/modules/silauth/src/Auth/Source/models/FailedLoginIpAddress.php
@@ -140,8 +140,7 @@ public static function isRateLimitBlockingAnyOfThese(array $ipAddresses): bool
     public static function recordFailedLoginBy(
         array           $ipAddresses,
         LoggerInterface $logger
-    ): void
-    {
+    ): void {
         foreach ($ipAddresses as $ipAddress) {
             $newRecord = new FailedLoginIpAddress(['ip_address' => strtolower($ipAddress)]);
 
diff --git a/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php b/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php
index b0bfa0b..e1bc4ff 100644
--- a/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php
+++ b/modules/silauth/src/Auth/Source/models/FailedLoginUsername.php
@@ -126,8 +126,7 @@ public static function isCaptchaRequiredFor(?string $username): bool
     public static function recordFailedLoginBy(
         string          $username,
         LoggerInterface $logger
-    ): void
-    {
+    ): void {
         $newRecord = new FailedLoginUsername(['username' => strtolower($username)]);
         if (!$newRecord->save()) {
             $logger->critical(json_encode([
diff --git a/modules/silauth/src/Auth/Source/saml/User.php b/modules/silauth/src/Auth/Source/saml/User.php
index d573bb0..6e4df4a 100644
--- a/modules/silauth/src/Auth/Source/saml/User.php
+++ b/modules/silauth/src/Auth/Source/saml/User.php
@@ -18,8 +18,7 @@ public static function convertToSamlFieldNames(
         ?string $managerEmail,
         string  $profileReview,
         array   $member
-    ): array
-    {
+    ): array {
 
         // eduPersonUniqueId (only alphanumeric allowed)
         $alphaNumericUuid = str_replace('-', '', $uuid);
diff --git a/modules/silauth/src/Auth/Source/tests/fakes/FakeIdBroker.php b/modules/silauth/src/Auth/Source/tests/fakes/FakeIdBroker.php
index adab40b..b591848 100644
--- a/modules/silauth/src/Auth/Source/tests/fakes/FakeIdBroker.php
+++ b/modules/silauth/src/Auth/Source/tests/fakes/FakeIdBroker.php
@@ -16,8 +16,7 @@ public function __construct(
         string          $accessToken,
         LoggerInterface $logger,
         string          $idpDomainName = 'fake.example.com'
-    )
-    {
+    ) {
         parent::__construct(
             $baseUri,
             $accessToken,