Index: bp-activity-admin.php
===================================================================
--- bp-activity-admin.php	(revision 13516)
+++ bp-activity-admin.php	(working copy)
@@ -17,7 +17,7 @@
 if ( !class_exists( 'WP_List_Table' ) ) require( ABSPATH . 'wp-admin/includes/class-wp-list-table.php' );
 
 // Per_page screen option. Has to be hooked in extremely early.
-if ( is_admin() && ! empty( $_REQUEST['page'] ) && 'bp-activity' == $_REQUEST['page'] )
+if ( is_admin() && ! empty( $_REQUEST['page'] ) && 'bp-activity' === $_REQUEST['page'] )
 	add_filter( 'set-screen-option', 'bp_activity_admin_screen_options', 10, 3 );
 
 /**
@@ -144,7 +144,7 @@
  * @return string|int Option value. False to abandon update.
  */
 function bp_activity_admin_screen_options( $value, $option, $new_value ) {
-	if ( 'toplevel_page_bp_activity_per_page' != $option && 'toplevel_page_bp_activity_network_per_page' != $option )
+	if ( 'toplevel_page_bp_activity_per_page' !== $option && 'toplevel_page_bp_activity_network_per_page' !== $option )
 		return $value;
 
 	// Per page.
@@ -213,7 +213,7 @@
 	do_action( 'bp_activity_admin_load', $doaction );
 
 	// Edit screen.
-	if ( 'edit' == $doaction && ! empty( $_GET['aid'] ) ) {
+	if ( 'edit' === $doaction && ! empty( $_GET['aid'] ) ) {
 		// Columns screen option.
 		add_screen_option( 'layout_columns', array( 'default' => 2, 'max' => 2, ) );
 
@@ -775,11 +775,11 @@
 						<div id="post-body-content">
 							<div id="postdiv">
 								<div id="bp_activity_action" class="activitybox">
-									<h2><?php _e( 'Action', 'buddypress' ); ?></h2>
+									<h2><?php esc_html_e( 'Action', 'buddypress' ); ?></h2>
 									<div class="inside">
 										<label for="bp-activities-action" class="screen-reader-text"><?php
 											/* translators: accessibility text */
-											_e( 'Edit activity action', 'buddypress' );
+											esc_html_e( 'Edit activity action', 'buddypress' );
 										?></label>
 										<?php wp_editor( stripslashes( $activity->action ), 'bp-activities-action', array( 'media_buttons' => false, 'textarea_rows' => 7, 'teeny' => true, 'quicktags' => array( 'buttons' => 'strong,em,link,block,del,ins,img,code,spell,close' ) ) ); ?>
 									</div>
@@ -786,11 +786,11 @@
 								</div>
 
 								<div id="bp_activity_content" class="activitybox">
-									<h2><?php _e( 'Content', 'buddypress' ); ?></h2>
+									<h2><?php esc_html_e( 'Content', 'buddypress' ); ?></h2>
 									<div class="inside">
 										<label for="bp-activities-content" class="screen-reader-text"><?php
 											/* translators: accessibility text */
-											_e( 'Edit activity content', 'buddypress' );
+											esc_html_e( 'Edit activity content', 'buddypress' );
 										?></label>
 										<?php wp_editor( stripslashes( $activity->content ), 'bp-activities-content', array( 'media_buttons' => false, 'teeny' => true, 'quicktags' => array( 'buttons' => 'strong,em,link,block,del,ins,img,code,spell,close' ) ) ); ?>
 									</div>
@@ -913,10 +913,10 @@
 
 	<label class="screen-reader-text" for="bp-activities-link"><?php
 		/* translators: accessibility text */
-		_e( 'Link', 'buddypress' );
+		esc_html_e( 'Link', 'buddypress' );
 	?></label>
 	<input type="url" name="bp-activities-link" id="bp-activities-link" value="<?php echo esc_url( $item->primary_link ); ?>" aria-describedby="bp-activities-link-description" />
-	<p id="bp-activities-link-description"><?php _e( 'Activity generated by posts and comments uses the link field for a permalink back to the content item.', 'buddypress' ); ?></p>
+	<p id="bp-activities-link-description"><?php esc_html_e( 'Activity generated by posts and comments uses the link field for a permalink back to the content item.', 'buddypress' ); ?></p>
 
 <?php
 }
@@ -933,7 +933,7 @@
 
 	<label class="screen-reader-text" for="bp-activities-userid"><?php
 		/* translators: accessibility text */
-		_e( 'Author ID', 'buddypress' );
+		esc_html_e( 'Author ID', 'buddypress' );
 	?></label>
 	<input type="number" name="bp-activities-userid" id="bp-activities-userid" value="<?php echo esc_attr( $item->user_id ); ?>" min="1" />
 
@@ -1053,14 +1053,14 @@
 function bp_activity_admin_edit_metabox_itemids( $item ) {
 ?>
 
-	<label for="bp-activities-primaryid"><?php _e( 'Primary Item ID', 'buddypress' ); ?></label>
+	<label for="bp-activities-primaryid"><?php esc_html_e( 'Primary Item ID', 'buddypress' ); ?></label>
 	<input type="number" name="bp-activities-primaryid" id="bp-activities-primaryid" value="<?php echo esc_attr( $item->item_id ); ?>" min="0" />
 	<br />
 
-	<label for="bp-activities-secondaryid"><?php _e( 'Secondary Item ID', 'buddypress' ); ?></label>
+	<label for="bp-activities-secondaryid"><?php esc_html_e( 'Secondary Item ID', 'buddypress' ); ?></label>
 	<input type="number" name="bp-activities-secondaryid" id="bp-activities-secondaryid" value="<?php echo esc_attr( $item->secondary_item_id ); ?>" min="0" />
 
-	<p><?php _e( 'These identify the object that created this activity. For example, the fields could reference a pair of site and comment IDs.', 'buddypress' ); ?></p>
+	<p><?php esc_html_e( 'These identify the object that created this activity. For example, the fields could reference a pair of site and comment IDs.', 'buddypress' ); ?></p>
 
 <?php
 }
Index: classes/class-bp-activity-list-table.php
===================================================================
--- classes/class-bp-activity-list-table.php	(revision 13516)
+++ classes/class-bp-activity-list-table.php	(working copy)
@@ -111,7 +111,7 @@
 
 		// Filter.
 		if ( ! empty( $_REQUEST['activity_type'] ) ) {
-			$filter = array( 'action' => $_REQUEST['activity_type'] );
+			$filter = array( 'action' => sanitize_text_field( $_REQUEST['activity_type'] ) );
 
 			// Set the view as a filtered one.
 			$this->view = 'filtered';
@@ -260,7 +260,7 @@
 	 * @since 1.6.0
 	 */
 	function no_items() {
-		_e( 'No activities found.', 'buddypress' );
+		esc_attr_e( 'No activities found.', 'buddypress' );
 	}
 
 	/**
@@ -273,7 +273,7 @@
 
 		<h2 class="screen-reader-text"><?php
 			/* translators: accessibility text */
-			_e( 'Activities list', 'buddypress' );
+			esc_attr_e( 'Activities list', 'buddypress' );
 		?></h2>
 
 		<table class="wp-list-table <?php echo implode( ' ', $this->get_table_classes() ); ?>" cellspacing="0">
@@ -465,7 +465,7 @@
 		}
 
 		// Is any filter currently selected?
-		$selected = ( ! empty( $_REQUEST['activity_type'] ) ) ? $_REQUEST['activity_type'] : '';
+		$selected = ( ! empty( $_REQUEST['activity_type'] ) ) ? sanitize_text_field( $_REQUEST['activity_type'] ) : '';
 
 		// Get the actions.
 		$activity_actions = bp_activity_get_actions(); ?>
@@ -473,10 +473,10 @@
 		<div class="alignleft actions">
 			<label for="activity-type" class="screen-reader-text"><?php
 				/* translators: accessibility text */
-				_e( 'Filter by activity type', 'buddypress' );
+				esc_html_e( 'Filter by activity type', 'buddypress' );
 			?></label>
 			<select name="activity_type" id="activity-type">
-				<option value="" <?php selected( ! $selected ); ?>><?php _e( 'View all actions', 'buddypress' ); ?></option>
+				<option value="" <?php selected( ! $selected ); ?>><?php esc_html_e( 'View all actions', 'buddypress' ); ?></option>
 
 				<?php foreach ( $activity_actions as $component => $actions ) : ?>
 					<?php
@@ -503,7 +503,7 @@
 					}
 					?>
 
-					<optgroup label="<?php echo esc_html( $component_name ); ?>">
+					<optgroup label="<?php echo esc_attr( $component_name ); ?>">
 
 						<?php foreach ( $actions as $action_key => $action_values ) : ?>
 
@@ -645,7 +645,7 @@
 
 		// Rollover actions.
 		// Reply - JavaScript only; implemented by AJAX.
-		if ( 'spam' != $item_status ) {
+		if ( 'spam' !== $item_status ) {
 			if ( $this->can_comment( $item ) ) {
 				$actions['reply'] = sprintf( '<a href="#" class="reply hide-if-no-js">%s</a>', esc_html__( 'Reply', 'buddypress' ) );
 			} else {
@@ -657,7 +657,7 @@
 		}
 
 		// Spam/unspam.
-		if ( 'spam' == $item_status ) {
+		if ( 'spam' === $item_status ) {
 			$actions['unspam'] = sprintf( '<a href="%s">%s</a>', esc_url( $ham_url ), esc_html__( 'Not Spam', 'buddypress' ) );
 		} else {
 			$actions['spam'] = sprintf( '<a href="%s">%s</a>', esc_url( $spam_url ), esc_html__( 'Spam', 'buddypress' ) );