diff --git a/plugins/wporg-5ftf/includes/contributor.php b/plugins/wporg-5ftf/includes/contributor.php
index 64ae51b..2bb5099 100644
--- a/plugins/wporg-5ftf/includes/contributor.php
+++ b/plugins/wporg-5ftf/includes/contributor.php
@@ -106,11 +106,11 @@ function populate_list_table_columns( $column, $post_id ) {
 				$pledge_name = sprintf(
 					'<a href="%1$s">%2$s</a>',
 					get_edit_post_link( $pledge ),
-					$pledge_name
+					esc_html( $pledge_name )
 				);
 			}
 
-			echo $pledge_name;
+			echo wp_kses_post( $pledge_name );
 			break;
 	}
 }
diff --git a/plugins/wporg-5ftf/includes/directory.php b/plugins/wporg-5ftf/includes/directory.php
index e9dcf2b..d35ee70 100755
--- a/plugins/wporg-5ftf/includes/directory.php
+++ b/plugins/wporg-5ftf/includes/directory.php
@@ -13,6 +13,9 @@ use WordPressDotOrg\FiveForTheFuture\Pledge;
 
 defined( 'WPINC' ) || die();
 
+/**
+ * Enqueue scripts and styles.
+ */
 function enqueue_scripts() {
 	global $post;
 
@@ -36,8 +39,12 @@ function enqueue_scripts() {
 	}
 
 	$params = array(
-		// explain 100 is just sanity limit to keep page size performant. might need to lazy-load more in the future
-		// maybe order by donated_employees, or rand, to ensure the top companies are always displayed first, or to make sure treta everyone equal
+		/*
+		 * todo explain 100 is just sanity limit to keep page size performant. might need to lazy-load more in the
+		 * future.
+		 * maybe order by donated_employees, or rand, to ensure the top companies are always displayed first, or
+		 * to make sure treat everyone equal.
+		 */
 		'post_type'      => Pledge\CPT_ID,
 		'post_status'    => 'publish',
 		'posts_per_page' => 100,
@@ -72,7 +79,7 @@ function enqueue_scripts() {
 add_action( 'wp_enqueue_scripts', __NAMESPACE__ . '\enqueue_scripts' );
 
 /**
- * todo
+ * Todo.
  *
  * @return string
  */
@@ -87,9 +94,12 @@ function render_shortcode() {
 
 add_shortcode( 'five_for_the_future_companies', __NAMESPACE__ . '\render_shortcode' );
 
-// shortcode for pledge form
-// form handler for pledge form
+// todo shortcode for pledge form.
+// todo form handler for pledge form.
 
+/**
+ * Todo.
+ */
 function register() {
 	//register_block_type();
 }
diff --git a/plugins/wporg-5ftf/includes/pledge-form.php b/plugins/wporg-5ftf/includes/pledge-form.php
index 6f7fe03..ef32532 100755
--- a/plugins/wporg-5ftf/includes/pledge-form.php
+++ b/plugins/wporg-5ftf/includes/pledge-form.php
@@ -6,10 +6,8 @@
 namespace WordPressDotOrg\FiveForTheFuture\PledgeForm;
 
 use WordPressDotOrg\FiveForTheFuture;
-use WordPressDotOrg\FiveForTheFuture\Pledge;
-use WordPressDotOrg\FiveForTheFuture\PledgeMeta;
-use WordPressDotOrg\FiveForTheFuture\Contributor;
-use WP_Error, WP_Post, WP_User;
+use WordPressDotOrg\FiveForTheFuture\{ Pledge, PledgeMeta, Contributor };
+use WP_Error, WP_User;
 
 defined( 'WPINC' ) || die();
 
@@ -23,11 +21,11 @@ add_shortcode( '5ftf_pledge_form_manage', __NAMESPACE__ . '\render_form_manage'
  * @return false|string
  */
 function render_form_new() {
-	$action   = filter_input( INPUT_POST, 'action' );
-	$data     = get_form_submission();
-	$messages = [];
-	$complete = false;
-	$directory_url = get_permalink( get_page_by_path( 'pledges') );
+	$action        = filter_input( INPUT_POST, 'action' );
+	$data          = get_form_submission();
+	$messages      = [];
+	$complete      = false;
+	$directory_url = get_permalink( get_page_by_path( 'pledges' ) );
 
 	if ( 'Submit Pledge' === $action ) {
 		$processed = process_form_new();
diff --git a/plugins/wporg-5ftf/includes/pledge-meta.php b/plugins/wporg-5ftf/includes/pledge-meta.php
index 3f4f371..902c738 100755
--- a/plugins/wporg-5ftf/includes/pledge-meta.php
+++ b/plugins/wporg-5ftf/includes/pledge-meta.php
@@ -196,7 +196,7 @@ function save_pledge( $pledge_id, $pledge ) {
 	}
 
 	if ( ! current_user_can( 'edit_pledge', $pledge_id ) ) {
-		// todo re-enable once setup cap mapping or whatever
+		// todo re-enable once setup cap mapping or whatever.
 		//return;
 	}
 
@@ -227,6 +227,7 @@ function save_pledge_meta( $pledge_id, $new_values ) {
 	foreach ( $new_values as $key => $value ) {
 		if ( array_key_exists( $key, $config ) ) {
 			$meta_key = META_PREFIX . $key;
+
 			// Since the sanitize callback is called during this function, it could still end up
 			// saving an empty value to the database.
 			update_post_meta( $pledge_id, $meta_key, $value );
diff --git a/plugins/wporg-5ftf/includes/pledge.php b/plugins/wporg-5ftf/includes/pledge.php
index 72db577..52aa0f8 100755
--- a/plugins/wporg-5ftf/includes/pledge.php
+++ b/plugins/wporg-5ftf/includes/pledge.php
@@ -34,6 +34,7 @@ function register() {
  * @return void
  */
 function admin_menu() {
+	// New pledges should only be created through the front end form.
 	remove_submenu_page( 'edit.php?post_type=' . CPT_ID, 'post-new.php?post_type=' . CPT_ID );
 }
 
diff --git a/plugins/wporg-5ftf/index.php b/plugins/wporg-5ftf/index.php
index 49d6b5b..69a239e 100755
--- a/plugins/wporg-5ftf/index.php
+++ b/plugins/wporg-5ftf/index.php
@@ -20,7 +20,7 @@ const PREFIX = '5ftf';
 add_action( 'plugins_loaded', __NAMESPACE__ . '\load' );
 
 /**
- *
+ * Include the rest of the plugin.
  */
 function load() {
 	require_once get_includes_path() . 'contributor.php';
diff --git a/plugins/wporg-5ftf/tests/bootstrap.php b/plugins/wporg-5ftf/tests/bootstrap.php
index 5d39918..1fb3a7f 100755
--- a/plugins/wporg-5ftf/tests/bootstrap.php
+++ b/plugins/wporg-5ftf/tests/bootstrap.php
@@ -19,11 +19,11 @@ if ( ! $core_tests_directory ) {
 	return;
 }
 
-require_once( $core_tests_directory . '/includes/functions.php' );
-require_once( dirname( dirname( $core_tests_directory ) ) . '/build/wp-admin/includes/plugin.php' );
+require_once $core_tests_directory . '/includes/functions.php';
+require_once dirname( dirname( $core_tests_directory ) ) . '/build/wp-admin/includes/plugin.php';
 
 tests_add_filter( 'muplugins_loaded', function() {
-	require_once( dirname( __DIR__ )  . '/index.php' );
+	require_once dirname( __DIR__ )  . '/index.php';
 } );
 
-require_once( $core_tests_directory . '/includes/bootstrap.php' );
+require_once $core_tests_directory . '/includes/bootstrap.php';
diff --git a/plugins/wporg-5ftf/views/form-pledge-new.php b/plugins/wporg-5ftf/views/form-pledge-new.php
index c23ec62..e5977d4 100755
--- a/plugins/wporg-5ftf/views/form-pledge-new.php
+++ b/plugins/wporg-5ftf/views/form-pledge-new.php
@@ -1,6 +1,6 @@
 <?php
-namespace WordPressDotOrg\FiveForTheFuture\View;
 
+namespace WordPressDotOrg\FiveForTheFuture\View;
 use function WordPressDotOrg\FiveForTheFuture\get_views_path;
 
 /**
diff --git a/plugins/wporg-5ftf/views/front-end.php b/plugins/wporg-5ftf/views/front-end.php
index 3887dc3..d3a85c4 100755
--- a/plugins/wporg-5ftf/views/front-end.php
+++ b/plugins/wporg-5ftf/views/front-end.php
@@ -1,5 +1,5 @@
 <?php // todo i18n
-//// change all id/class prefixes to fftf (or something better) b/c not valid to start w/ number
+//// change all id/class prefixes to fftf (or something better) b/c not valid to start w/ number.
 
 // TODO are we using this, or is all the front end stuff happening in the 5ftF theme now?
 ?>
@@ -7,29 +7,34 @@
 <article class="5ftf">
 	<section class="about">
 		<h3>
-			<?php _e( 'Five for the Future', 'wordpressdotorg' ); ?>
+			<?php esc_html_e( 'Five for the Future', 'wporg-5ftf' ); ?>
 		</h3>
 
 		<p>
-			<?php _e( 'Many companies in the WordPress ecosystem choose to contribute 5% of their time back towards sustaining and improving the WordPress project. This helps to ensure that WordPress remains a vibrant platform to build a business on, and prevents a <a href="">tragedy of the commons</a>.', 'wordpressdotorg' ); ?>
-			<?php // link to CTA page ?>
+			<?php wp_kses_post(
+				__( 'Many companies in the WordPress ecosystem choose to contribute 5% of their time back towards sustaining and improving the WordPress project. This helps to ensure that WordPress remains a vibrant platform to build a business on, and prevents a <a href="todo">tragedy of the commons</a>.', 'wporg-5ftf' )
+			); ?>
+			<?php // todo link to CTA page. ?>
 		</p>
 	</section>
 
 	<section class="people">
 		<h3>
-			<?php _e( 'Thank you to all of the companies that participate in Five for the Future.', 'wordpressdotorg' ); ?>
+			<?php esc_html_e( 'Thank you to all of the companies that participate in Five for the Future.', 'wporg-5ftf' ); ?>
 		</h3>
 
-		<?php /*
-		// sort filter options
-		// this should be js - backbone or react? react
-		// in page or api? start in page, can iterate later to add infinite scroll or something
-		*/ ?>
+		<?php
+		/*
+		 * todo.
+		 * sort filter options.
+		 * this should be js - backbone or react? react.
+		 * in page or api? start in page, can iterate later to add infinite scroll or something.
+		 */
+		?>
 
 		<form>
 			<label for="5ftf-search">
-				<?php _e( 'Search:' ); ?>
+				<?php esc_html_e( 'Search:', 'wporg-5ftf' ); ?>
 			</label>
 
 			<input type="text" id="5ftf-search" name="5ftf-search" />
@@ -56,7 +61,7 @@
 					</th>
 					<th>
 						Teams Contributing To
-						<?php // This can't really be sorted in a meaningful way, since multiple teams are listed here ?>
+						<?php // This can't really be sorted in a meaningful way, since multiple teams are listed here. ?>
 					</th>
 				</tr>
 			</thead>
@@ -64,7 +69,7 @@
 			<tbody id="5ftf-companies-body">
 				<tr>
 					<td colspan="5">
-						<?php _e( 'Loading&hellip;' ); ?>
+						<?php esc_html_e( 'Loading&hellip;', 'wporg-5ftf' ); ?>
 					</td>
 				</tr>
 			</tbody>
@@ -96,6 +101,6 @@
 
 		<p>Have a question? Ready to get started? Get in touch and we'll help you find where you're needed the most.</p>
 
-		<?php // link to pledge form ?>
+		<?php // todo link to pledge form. ?>
 	</section>
 </article>
diff --git a/plugins/wporg-5ftf/views/inputs-pledge-contributors.php b/plugins/wporg-5ftf/views/inputs-pledge-contributors.php
index dfc2f6f..254ca0c 100644
--- a/plugins/wporg-5ftf/views/inputs-pledge-contributors.php
+++ b/plugins/wporg-5ftf/views/inputs-pledge-contributors.php
@@ -28,11 +28,11 @@ namespace WordPressDotOrg\FiveForTheFuture\View;
 <?php else : ?>
 
 <div class="5ftf-contributors">
-	<?php foreach ( $contributors as $status => $group ) : ?>
+	<?php foreach ( $contributors as $contributor_status => $group ) : ?>
 		<?php if ( ! empty( $group ) ) : ?>
 			<h3 class="contributor-list-heading">
 				<?php
-				switch ( $status ) {
+				switch ( $contributor_status ) {
 					case 'pending':
 						esc_html_e( 'Unconfirmed', 'wporg' );
 						break;
@@ -43,13 +43,13 @@ namespace WordPressDotOrg\FiveForTheFuture\View;
 				?>
 			</h3>
 
-			<ul class="contributor-list <?php echo esc_attr( $status ); ?>">
+			<ul class="contributor-list <?php echo esc_attr( $contributor_status ); ?>">
 				<?php foreach ( $group as $contributor_post ) :
 					$contributor = get_user_by( 'login', $contributor_post->post_title );
 					?>
 					<li>
 						<?php echo get_avatar( $contributor->user_email, 32 ); ?>
-						<?php echo $contributor_post->post_title; ?>
+						<?php echo esc_html( $contributor_post->post_title ); ?>
 						<!-- TODO These buttons don't do anything yet.
 						<button class="button-primary" data-action="remove" data-contributor-post="<?php echo esc_attr( $contributor_post->ID ); ?>">
 							<?php esc_html_e( 'Remove', 'wporg' ); ?>
diff --git a/plugins/wporg-5ftf/views/inputs-pledge-new-misc.php b/plugins/wporg-5ftf/views/inputs-pledge-new-misc.php
index 2d2f16b..f21a031 100644
--- a/plugins/wporg-5ftf/views/inputs-pledge-new-misc.php
+++ b/plugins/wporg-5ftf/views/inputs-pledge-new-misc.php
@@ -13,7 +13,7 @@ namespace WordPressDotOrg\FiveForTheFuture\View;
 				I understand and agree to the <a href="%s">expectations</a> for
 				inclusion in the Five for the Future acknowledgement program.
 			' ),
-			get_permalink( get_page_by_path( 'expectations' ) ) // TODO Change this URL?
+			esc_url( get_permalink( get_page_by_path( 'expectations' ) ) ) // TODO Change this URL?
 		);
 		?>
 	</p>