Index: bp-xprofile-caps.php
===================================================================
--- bp-xprofile-caps.php	(revision 13498)
+++ bp-xprofile-caps.php	(working copy)
@@ -38,19 +38,19 @@
 			}
 
 			// Visibility on the fullname field is not editable.
-			if ( 1 == $field_id ) {
+			if ( 1 === $field_id ) {
 				$caps[] = 'do_not_allow';
 				break;
 			}
 
 			// Has the admin disabled visibility modification for this field?
-			if ( 'disabled' == bp_xprofile_get_meta( $field_id, 'field', 'allow_custom_visibility' ) ) {
+			if ( 'disabled' === bp_xprofile_get_meta( $field_id, 'field', 'allow_custom_visibility' ) ) {
 				$caps[] = 'do_not_allow';
 				break;
 			}
 
 			// Friends don't let friends edit each other's visibility.
-			if ( $profile_user_id != bp_displayed_user_id() && ! bp_current_user_can( 'bp_moderate' ) ) {
+			if ( $profile_user_id !== bp_displayed_user_id() && ! bp_current_user_can( 'bp_moderate' ) ) {
 				$caps[] = 'do_not_allow';
 				break;
 			}
Index: bp-xprofile-cssjs.php
===================================================================
--- bp-xprofile-cssjs.php	(revision 13498)
+++ bp-xprofile-cssjs.php	(working copy)
@@ -16,7 +16,7 @@
  * @since 1.1.0
  */
 function xprofile_add_admin_css() {
-	if ( ! empty( $_GET['page'] ) && strpos( $_GET['page'], 'bp-profile-setup' ) !== false ) {
+	if ( ! empty( $_GET['page'] ) && strpos( sanitize_text_field( $_GET['page'] ), 'bp-profile-setup' ) !== false ) {
 		$min = bp_core_get_minified_asset_suffix();
 
 		wp_enqueue_style( 'xprofile-admin-css', buddypress()->plugin_url . "bp-xprofile/admin/css/admin{$min}.css", array(), bp_get_version() );
@@ -35,7 +35,7 @@
  * @since 1.5.0
  */
 function xprofile_add_admin_js() {
-	if ( ! empty( $_GET['page'] ) && strpos( $_GET['page'], 'bp-profile-setup' ) !== false ) {
+	if ( ! empty( $_GET['page'] ) && strpos( sanitize_text_field( $_GET['page'] ), 'bp-profile-setup' ) !== false ) {
 		wp_enqueue_script( 'jquery-ui-core'      );
 		wp_enqueue_script( 'jquery-ui-tabs'      );
 		wp_enqueue_script( 'jquery-ui-mouse'     );
Index: classes/class-bp-xprofile-field-type-checkbox.php
===================================================================
--- classes/class-bp-xprofile-field-type-checkbox.php	(revision 13498)
+++ classes/class-bp-xprofile-field-type-checkbox.php	(working copy)
@@ -126,7 +126,7 @@
 
 		// Check for updated posted values, but errors preventing them from
 		// being saved first time.
-		if ( isset( $_POST[ 'field_' . $this->field_obj->id ] ) && $option_values != maybe_serialize( $_POST[ 'field_' . $this->field_obj->id ] ) ) {
+		if ( isset( $_POST[ 'field_' . $this->field_obj->id ] ) && $option_values !== maybe_serialize( $_POST[ 'field_' . $this->field_obj->id ] ) ) {
 			if ( ! empty( $_POST[ 'field_' . $this->field_obj->id ] ) ) {
 				$option_values = array_map( 'sanitize_text_field', $_POST[ 'field_' . $this->field_obj->id ] );
 			}
@@ -142,7 +142,7 @@
 				// so we'll be sure to get a match.
 				$allowed_options = xprofile_sanitize_data_value_before_save( $options[ $k ]->name, false, false );
 
-				if ( $option_values[ $j ] === $allowed_options || in_array( $allowed_options, $option_values ) ) {
+				if ( $option_values[ $j ] === $allowed_options || in_array( $allowed_options, $option_values, true ) ) {
 					$selected = ' checked="checked"';
 					break;
 				}
Index: classes/class-bp-xprofile-field.php
===================================================================
--- classes/class-bp-xprofile-field.php	(revision 13498)
+++ classes/class-bp-xprofile-field.php	(working copy)
@@ -484,8 +484,8 @@
 				$parent_id = $this->id;
 
 				// Allow plugins to filter the field's child options (i.e. the items in a selectbox).
-				$post_option  = ! empty( $_POST[ "{$this->type}_option" ]           ) ? $_POST[ "{$this->type}_option" ] : '';
-				$post_default = ! empty( $_POST[ "isDefault_{$this->type}_option" ] ) ? $_POST[ "isDefault_{$this->type}_option" ] : '';
+				$post_option  = ! empty( $_POST[ "{$this->type}_option" ]           ) ? sanitize_text_field( $_POST[ "{$this->type}_option" ] ) : '';
+				$post_default = ! empty( $_POST[ "isDefault_{$this->type}_option" ] ) ? sanitize_text_field( $_POST[ "isDefault_{$this->type}_option" ] ) : '';
 
 				/**
 				 * Filters the submitted field option value before saved.
@@ -517,12 +517,12 @@
 								$is_default = 1;
 							}
 						} else {
-							if ( (int) $defaults == $option_key ) {
+							if ( (int) $defaults === $option_key ) {
 								$is_default = 1;
 							}
 						}
 
-						if ( '' != $option_value ) {
+						if ( '' !== $option_value ) {
 							$sql = $wpdb->prepare( "INSERT INTO {$bp->profile->table_name_fields} (group_id, parent_id, type, name, description, is_required, option_order, is_default_option) VALUES (%d, %d, 'option', %s, '', 0, %d, %d)", $this->group_id, $parent_id, $option_value, $counter, $is_default );
 							if ( ! $wpdb->query( $sql ) ) {
 								return false;
@@ -651,7 +651,7 @@
 
 		// If '_none' is found in the array, it overrides all types.
 		$types = array();
-		if ( ! in_array( '_none', $raw_types ) ) {
+		if ( ! in_array( '_none', $raw_types, true ) ) {
 			$registered_types = bp_get_member_types();
 
 			// Eliminate invalid member types saved in the database.
@@ -766,7 +766,7 @@
 	 */
 	public function get_member_type_label() {
 		// Field 1 is always displayed to everyone, so never gets a label.
-		if ( 1 == $this->id ) {
+		if ( 1 === $this->id ) {
 			return '';
 		}
 
@@ -780,7 +780,7 @@
 
 		// If the field applies to all member types, show no message.
 		$all_types[] = 'null';
-		if ( array_values( $all_types ) == $member_types ) {
+		if ( array_values( $all_types ) === $member_types ) {
 			return '';
 		}
 
@@ -1165,12 +1165,12 @@
 		// Check that field is of valid type.
 		if ( ! in_array( $_POST['fieldtype'], array_keys( bp_xprofile_get_field_types() ), true ) ) {
 			/* translators: %s: field type name */
-			$message = sprintf( esc_html__( 'The profile field type %s is not registered.', 'buddypress' ), '<code>' . esc_attr( $_POST['fieldtype'] ) . '</code>' );
+			$message = sprintf( esc_html__( 'The profile field type %s is not registered.', 'buddypress' ), '<code>' . sanitize_text_field( $_POST['fieldtype'] ) . '</code>' );
 			return false;
 		}
 
 		// Get field type so we can check for and validate any field options.
-		$field_type = bp_xprofile_create_field_type( $_POST['fieldtype'] );
+		$field_type = bp_xprofile_create_field_type( sanitize_text_field( $_POST['fieldtype'] ) );
 
 		// Field type requires options.
 		if ( true === $field_type->supports_options ) {
@@ -1253,11 +1253,11 @@
 			), $users_url . '#tabs-' . (int) $this->group_id );
 
 			if ( ! empty( $_POST['saveField'] ) ) {
-				$this->name        = $_POST['title'];
-				$this->description = $_POST['description'];
-				$this->is_required = $_POST['required'];
-				$this->type        = $_POST['fieldtype'];
-				$this->field_order = $_POST['field_order'];
+				$this->name        = sanitize_text_field( $_POST['title'] );
+				$this->description = sanitize_text_field( $_POST['description'] );
+				$this->is_required = sanitize_text_field( $_POST['required'] );
+				$this->type        = sanitize_text_field( $_POST['fieldtype'] );
+				$this->field_order = sanitize_text_field( $_POST['field_order'] );
 
 				if ( ! empty( $_POST[ "sort_order_{$this->type}" ] ) ) {
 					$this->order_by = $_POST[ "sort_order_{$this->type}" ];