diff --git a/functions.php b/functions.php
index 4393098..8dd3a14 100644
--- a/functions.php
+++ b/functions.php
@@ -215,8 +215,8 @@ if ( ! function_exists( 'omphaloskepsis_fonts_url' ) ) :
 		if ( $fonts ) {
 			$fonts_url = add_query_arg(
 				array(
-					'family' => urlencode( implode( '|', $fonts ) ),
-					'subset' => urlencode( $subsets ),
+					'family' => rawurlencode( implode( '|', $fonts ) ),
+					'subset' => rawurlencode( $subsets ),
 				),
 				'https://fonts.googleapis.com/css'
 			);
@@ -452,6 +452,7 @@ function omphaloskepsis_the_content( $content ) {
 	global $post;
 	if ( 'program' === $post->post_type ) {
 		// phpcs:disable Squiz.PHP.DisallowMultipleAssignments.FoundInControlStructure
+		// phpcs:disable WordPress.CodeAnalysis.AssignmentInCondition.Found
 		if ( $meta = get_post_meta( $post->ID, 'Link', true ) ) {
 			$links = $links . '<a class="hyperlink-button" target="_blank" href="' . $meta . '">Download</a>';
 		}
@@ -517,144 +518,152 @@ function display_companies() {
 	  echo '<th>Associated Items</th>';
 	echo '</tr>';
 
-	// phpcs:disable WordPress.Security.NonceVerification.Missing
-	// phpcs:disable WordPress.PHP.YodaConditions.NotYoda
-	// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotValidated
-	if ( $_POST['toplevel'] == 'true' ) {
-		// Gets all of the top-level company terms.
-		$terms   = apply_filters(
-			'taxonomy-images-get-terms',
-			'',
-			array(
-				'having_images' => false,
-				'taxonomy'      => 'company',
-				'term_args'     => array( 'parent' => 0 ),
-			)
-		);
-		$include = 1;
-	} else {
-		// Gets all of the company terms.
-		$terms   = apply_filters(
-			'taxonomy-images-get-terms',
-			'',
-			array(
-				'having_images' => false,
-				'taxonomy'      => 'company',
-			)
-		);
-		$include = 0;
-	}
-
-	if ( ! empty( $terms ) ) {
-		foreach ( $terms as $term ) {
-			$term_children = get_term_children( $term->term_id, 'company' );
-
-			// 0 = Jobs
-			// 1 = Blog Posts
-			// 2 = Websites
-			// 3 = Programs
-			// 4 = Writings
-			// 5 = Videos
-			// 6 = Others
-			// 7 = Qualifications
-			// 8 = Awards
-			$post_types       = array( 'job', 'post', 'website', 'program', 'writing', 'video', 'other', 'qualification', 'award' );
-			$dashicons        = array( 'hammer', 'admin-post', 'schedule', 'desktop', 'format-aside', 'video-alt', 'archive', 'id', 'awards' );
-			$term_items       = array();
-			$term_item_counts = array();
-
-			foreach ( $post_types as $post_type ) {
-				$args = array(
-					'posts_per_page' => -1,
-					'post_type'      => $post_type,
-					'tax_query'      => array(
-						array(
-							'taxonomy'         => 'company',
-							'field'            => 'slug',
-							'terms'            => $term->slug,
-							'include_children' => $include,
-						),
-					),
-					'meta_query'     => array(),
-				);
-
-				if ( $_POST['currentjobs'] == 'true' && $post_type == 'job' ) {
-					$args['meta_query'] = array(
-						array(
-							'key'     => 'end-date',
-							'compare' => 'NOT EXISTS',
-							'value'   => '1',
-						),
-					);
-				}
-
-				if ( $_POST['showexpired'] != 'true' && $post_type == 'qualification' ) {
-					$args['meta_query'] = array(
-						array(
-							'key'     => 'Expired',
-							'compare' => 'NOT EXISTS',
-							'value'   => '1',
-						),
-					);
-				}
-
-				$posts = get_posts( $args );
-
-				array_push( $term_items, $posts );
-				array_push( $term_item_counts, count( $posts ) );
-			}
-
-			if ( ( $_POST['job'] == 'true' && $term_item_counts[0] > 0 ) ||
-			( $_POST['post'] == 'true' && $term_item_counts[1] > 0 ) ||
-			( $_POST['website'] == 'true' && $term_item_counts[2] > 0 ) ||
-			( $_POST['program'] == 'true' && $term_item_counts[3] > 0 ) ||
-			( $_POST['writing'] == 'true' && $term_item_counts[4] > 0 ) ||
-			( $_POST['video'] == 'true' && $term_item_counts[5] > 0 ) ||
-			( $_POST['other'] == 'true' && $term_item_counts[6] > 0 ) ||
-			( $_POST['qualification'] == 'true' && $term_item_counts[7] > 0 ) ||
-			( $_POST['award'] == 'true' && $term_item_counts[8] > 0 ) ) {
-				$img_url = wp_get_attachment_image_src( $term->image_id, 'full' )[0];
-				$bg_img  = ( ! $img_url ) ? '' : ' background-image: url(' . strtok( $img_url, '?' ) . ');';
-				$colour = get_term_meta( $term->term_id, 'color', true );
-				$colour = ( $colour != '' ) ? $colour : 'transparent';
-
-				echo '<tr class="organisation">';
-					echo '<td class="organisation-logo">';
-					 echo '<a href="' . esc_url( get_term_link( $term, $term->taxonomy ) ) . '">';
-						echo wp_kses_post( '<img style="background-color: ' . $colour . ';" src="' . strtok( $img_url, '?' ) . '" alt="' . $term->name . ' logo">' );
-					 echo '</a>';
-					echo '</td>';
-
-					echo '<td class="organisation-name">';
-					 echo '<a href="' . esc_url( get_term_link( $term, $term->taxonomy ) ) . '">';
-						echo wp_kses_post( '<p>' . $term->name . '</p>' );
-					 echo '</a>';
-					echo '</td>';
-
-					echo '<td class="organisation-items organisation-children">';
-					 $num = ( count( $term_children ) > 0 ) ? '' : 'none';
-					 echo '<div class="organisation-item ' . esc_attr( $num ) . '">';
-						echo wp_kses_post( '<span class="dashicons dashicons-groups"></span><br>' . count( $term_children ) );
-					 echo '</div>';
-					echo '</td>';
-
-					echo '<td class="organisation-items">';
-					 $i = 0;
-				foreach ( $post_types as $post_type ) {
-					$num = ( $term_item_counts[ $i ] > 0 ) ? '' : 'none';
-					echo '<div class="organisation-item ' . esc_attr( $num ) . '">';
-					echo wp_kses_post( '<span class="dashicons dashicons-' . esc_attr( $dashicons[ $i ] ) . '"></span><br>' . $term_item_counts[ $i ] );
-					echo '</div>';
-					$i++;
-				};
-					echo '</td>';
-				echo '</tr>';
-			}
+	if ( isset( $_SERVER['REQUEST_METHOD'] ) && ( 'POST' === $_SERVER['REQUEST_METHOD'] ) ) {
+		if ( ! isset( $_POST['settings_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( filter_input( INPUT_POST, 'settings_nonce' ) ), 'experience' ) ) {
+			echo '<tr><td>Error</td></tr>';
+			wp_die( 'Invalid nonce' );
+		}
+
+		// phpcs:disable WordPress.NamingConventions.ValidHookName.UseUnderscores
+		if ( isset( $_POST['toplevel'] ) && 'true' === $_POST['toplevel'] ) {
+			// Gets all of the top-level company terms.
+			$terms   = apply_filters(
+				'taxonomy-images-get-terms',
+				'',
+				array(
+					'having_images' => false,
+					'taxonomy'      => 'company',
+					'term_args'     => array( 'parent' => 0 ),
+				)
+			);
+			$include = 1;
+		} else {
+			// Gets all of the company terms.
+			$terms   = apply_filters(
+				'taxonomy-images-get-terms',
+				'',
+				array(
+					'having_images' => false,
+					'taxonomy'      => 'company',
+				)
+			);
+			$include = 0;
+		}
+		// phpcs:enable
+
+		if ( ! empty( $terms ) ) {
+			foreach ( $terms as $term ) {
+				$term_children = get_term_children( $term->term_id, 'company' );
+
+				// 0 = Jobs
+				// 1 = Blog Posts
+				// 2 = Websites
+				// 3 = Programs
+				// 4 = Writings
+				// 5 = Videos
+				// 6 = Others
+				// 7 = Qualifications
+				// 8 = Awards
+				$post_types       = array( 'job', 'post', 'website', 'program', 'writing', 'video', 'other', 'qualification', 'award' );
+				$dashicons        = array( 'hammer', 'admin-post', 'schedule', 'desktop', 'format-aside', 'video-alt', 'archive', 'id', 'awards' );
+				$term_items       = array();
+				$term_item_counts = array();
+
+				// phpcs:disable WordPress.DB.SlowDBQuery.slow_db_query_tax_query
+				// phpcs:disable WordPress.DB.SlowDBQuery.slow_db_query_meta_query
+				foreach ( $post_types as $post_type ) {
+					$args = array(
+						'posts_per_page' => -1,
+						'post_type'      => $post_type,
+						'tax_query'      => array(
+							array(
+								'taxonomy'         => 'company',
+								'field'            => 'slug',
+								'terms'            => $term->slug,
+								'include_children' => $include,
+							),
+						),
+						'meta_query'     => array(),
+					);
+
+					if ( isset( $_POST['currentjobs'] ) && 'true' === $_POST['currentjobs'] && 'job' === $post_type ) {
+						$args['meta_query'] = array(
+							array(
+								'key'     => 'end-date',
+								'compare' => 'NOT EXISTS',
+								'value'   => '1',
+							),
+						);
+					}
+
+					if ( isset( $_POST['showexpired'] ) && 'true' !== $_POST['showexpired'] && 'qualification' === $post_type ) {
+						$args['meta_query'] = array(
+							array(
+								'key'     => 'Expired',
+								'compare' => 'NOT EXISTS',
+								'value'   => '1',
+							),
+						);
+					}
+					// phpcs:enable
+
+					$posts = get_posts( $args );
+
+					array_push( $term_items, $posts );
+					array_push( $term_item_counts, count( $posts ) );
+				}
+
+				if ( ( isset( $_POST['job'] ) && 'true' === $_POST['job'] && $term_item_counts[0] > 0 ) ||
+				( isset( $_POST['post'] ) && 'true' === $_POST['post'] && $term_item_counts[1] > 0 ) ||
+				( isset( $_POST['website'] ) && 'true' === $_POST['website'] && $term_item_counts[2] > 0 ) ||
+				( isset( $_POST['program'] ) && 'true' === $_POST['program'] && $term_item_counts[3] > 0 ) ||
+				( isset( $_POST['writing'] ) && 'true' === $_POST['writing'] && $term_item_counts[4] > 0 ) ||
+				( isset( $_POST['video'] ) && 'true' === $_POST['video'] && $term_item_counts[5] > 0 ) ||
+				( isset( $_POST['other'] ) && 'true' === $_POST['other'] && $term_item_counts[6] > 0 ) ||
+				( isset( $_POST['qualification'] ) && 'true' === $_POST['qualification'] && $term_item_counts[7] > 0 ) ||
+				( isset( $_POST['award'] ) && 'true' === $_POST['award'] && $term_item_counts[8] > 0 ) ) {
+					$img_url = wp_get_attachment_image_src( $term->image_id, 'full' )[0];
+					$bg_img  = ( ! $img_url ) ? '' : ' background-image: url(' . strtok( $img_url, '?' ) . ');';
+					$colour  = get_term_meta( $term->term_id, 'color', true );
+					$colour  = ( '' !== $colour ) ? $colour : 'transparent';
+
+					echo '<tr class="organisation">';
+						echo '<td class="organisation-logo">';
+						 echo '<a href="' . esc_url( get_term_link( $term, $term->taxonomy ) ) . '">';
+							echo wp_kses_post( '<img style="background-color: ' . $colour . ';" src="' . strtok( $img_url, '?' ) . '" alt="' . $term->name . ' logo">' );
+						 echo '</a>';
+						echo '</td>';
+
+						echo '<td class="organisation-name">';
+						 echo '<a href="' . esc_url( get_term_link( $term, $term->taxonomy ) ) . '">';
+							echo wp_kses_post( '<p>' . $term->name . '</p>' );
+						 echo '</a>';
+						echo '</td>';
+
+						echo '<td class="organisation-items organisation-children">';
+						 $num = ( count( $term_children ) > 0 ) ? '' : 'none';
+						 echo '<div class="organisation-item ' . esc_attr( $num ) . '">';
+							echo wp_kses_post( '<span class="dashicons dashicons-groups"></span><br>' . count( $term_children ) );
+						 echo '</div>';
+						echo '</td>';
+
+						echo '<td class="organisation-items">';
+						 $i = 0;
+					foreach ( $post_types as $post_type ) {
+						$num = ( $term_item_counts[ $i ] > 0 ) ? '' : 'none';
+						echo '<div class="organisation-item ' . esc_attr( $num ) . '">';
+						echo wp_kses_post( '<span class="dashicons dashicons-' . esc_attr( $dashicons[ $i ] ) . '"></span><br>' . $term_item_counts[ $i ] );
+						echo '</div>';
+						$i++;
+					};
+						echo '</td>';
+					echo '</tr>';
+				}
+			}
+		} else {
+			echo '<p>No companies found</p>';
 		}
-	} else {
-		echo '<p>No companies found</p>';
 	}
-	// phpcs:enable
 	die();
 }
 add_action( 'wp_ajax_display_companies', 'display_companies' );
diff --git a/page-experience-by-companies.php b/page-experience-by-companies.php
index e92699a..e3af39a 100644
--- a/page-experience-by-companies.php
+++ b/page-experience-by-companies.php
@@ -26,8 +26,8 @@ get_header(); ?>
 	
 	  <div class="entry-content tile" id="settings">
 		 <h3 style="margin-bottom: 14px;" class="subheading">Settings</h3>
-		 <form action="/experience-by-companies" id="settings" method="GET">
-			<?php wp_nonce_field( 'experience-by-companies' ); ?>
+		 <form action="/experience" id="settings" method="POST">
+			<?php echo wp_kses_post(wp_nonce_field( 'experience', 'settings_nonce' )); ?>
 			<input class="checkbox" type="checkbox" id="toplevel" value="toplevel" checked="checked">
 			<label for="toplevel">Display only top-level organisations</label>
 			<br>
@@ -79,8 +79,14 @@ get_header(); ?>
 		 $('.controlgroup').controlgroup();
 		 $('.refresh').button();
 
+		 $('#refresh').click(function(event) {
+			$(this).css('border-width', '1px');
+			event.preventDefault();
+			displayCompanies();
+		 });
+		 
 		 // Displays the initial organisations grid.
-		 displayCompanies();
+		 $('#refresh').click();
 
 		 $('.expired').hide();
 
@@ -104,17 +110,13 @@ get_header(); ?>
 			}
 		 });
 
-		 $('#refresh').click(function(event) {
-			$(this).css('border-width', '1px');
-			event.preventDefault();
-			displayCompanies();
-		 });
 
 		 function displayCompanies() {
 			$('#organisations-grid').html('<img class="loading" src="/wp-content/uploads/2016/12/ajax-loader.gif">');
 
 			var settings = {
 			   'action': 'display_companies',
+			   'settings_nonce': $('#settings_nonce').val(),
 			   'toplevel': $('#toplevel').is(':checked'),
 			   'job': $('#jobs').is(':checked'),
 			   'currentjobs': $('#currentjobs').is(':checked'),
diff --git a/style.css b/style.css
index 28deb08..f16a4bb 100644
--- a/style.css
+++ b/style.css
@@ -607,6 +607,7 @@ html {
    body > footer {
       grid-area: footer;
       margin-top: 1em;
+      margin-bottom: 1em;
    }
 }
 
diff --git a/taxonomy-company.php b/taxonomy-company.php
index ebcee3f..4fc381f 100644
--- a/taxonomy-company.php
+++ b/taxonomy-company.php
@@ -94,7 +94,9 @@
 
 <main id="split-page" role="main">
 <?php
+		// phpcs:disable WordPress.NamingConventions.ValidHookName.UseUnderscores
    $company_logo = apply_filters( 'taxonomy-images-queried-term-image-url', '', array( 'image_size' => 'full' ) );
+   // phpcs:enable
    $company_name = get_queried_object()->name;
 ?>
    <div id="wrapper">
@@ -130,6 +132,7 @@
 			<div id="parents" class="col-6 col-m-12">
 		 <?php
 			if ( get_queried_object()->parent != 0 ) {
+				// phpcs:disable WordPress.NamingConventions.ValidHookName.UseUnderscores
 				$parents = apply_filters(
 					'taxonomy-images-get-terms',
 					'',
@@ -141,6 +144,7 @@
 						),
 					)
 				);
+				// phpcs:enable
 			}
 
 			if ( count( $parents ) > 0 ) :
@@ -162,6 +166,7 @@
 		
 			<div id="children" class="col-6 col-m-12">
 		 <?php
+		  // phpcs:disable WordPress.NamingConventions.ValidHookName.UseUnderscores
 			$children = apply_filters(
 				'taxonomy-images-get-terms',
 				'',
@@ -171,6 +176,7 @@
 					'term_args'     => array( 'parent' => get_queried_object()->term_id ),
 				)
 			);
+			// phpcs:enable
 			if ( count( $children ) > 0 ) :
 				?>
 			   <h2 class="subheading">Child<?php echo ( count( $children ) != 1 ) ? 'ren' : ''; ?></h2>
diff --git a/template-parts/content-single.php b/template-parts/content-single.php
index 65543fd..2429553 100644
--- a/template-parts/content-single.php
+++ b/template-parts/content-single.php
@@ -12,7 +12,7 @@
 	<header style="background-image: url('<?php the_post_thumbnail_url(); ?>');">
 		<div>
 			<h1 id="post-title">
-			<?php echo esc_html( get_the_title() ); ?>
+			<?php echo wp_kses_post( get_the_title() ); ?>
 			</h1>
 
 			<?php
@@ -168,13 +168,13 @@
 			// phpcs:disable WordPress.CodeAnalysis.AssignmentInCondition
 			$i = 1;
 			while ( $section_title = get_post_meta( get_the_ID(), 'ToC' . $i, true ) ) :
-				?>
+			?>
 				<li>
 					<a href="#section-<?php echo esc_attr( $i++ ); ?>">
-					<?php echo wp_kses_post( $content ); ?>
+					<?php echo wp_kses_post( $section_title ); ?>
 					</a>
 				</li>
-				<?php
+			<?php
 			endwhile;
 			// phpcs:enable 
 			?>