diff --git a/notify_lists.php b/notify_lists.php
index 537563b..48291bf 100644
--- a/notify_lists.php
+++ b/notify_lists.php
@@ -590,7 +590,7 @@ function form_actions() {
 				<input type='hidden' name='action' value='actions'>
 				<input type='hidden' name='save_list' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -665,10 +665,10 @@ function form_actions() {
 		print "	<tr>
 				<td class='saveRow'>
 				<input type='hidden' name='action' value='actions'>
-				<input type='hidden' name='id' value='" . get_request_var('id') . "'>
+				<input type='hidden' name='id' value='" . html_escape(get_request_var('id')) . "'>
 				<input type='hidden' name='save_templates' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -743,10 +743,10 @@ function form_actions() {
 		print "	<tr>
 				<td class='saveRow'>
 				<input type='hidden' name='action' value='actions'>
-				<input type='hidden' name='id' value='" . get_request_var('id') . "'>
+				<input type='hidden' name='id' value='" . html_escape(get_request_var('id')) . "'>
 				<input type='hidden' name='save_tholds' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -828,10 +828,10 @@ function form_actions() {
 		print "<tr>
 			<td class='saveRow'>
 				<input type='hidden' name='action' value='actions'>
-				<input type='hidden' name='id' value='" . get_request_var('id') . "'>
+				<input type='hidden' name='id' value='" . html_escape(get_request_var('id')) . "'>
 				<input type='hidden' name='save_associate' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -1138,7 +1138,7 @@ function hosts($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = '?header=false&action=edit&id=<?php print get_request_var('id'); ?>'
+			strURL  = '?header=false&action=edit&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&rows=' + $('#rows').val();
 			strURL += '&host_template_id=' + $('#host_template_id').val();
 			strURL += '&site_id=' + $('#site_id').val();
@@ -1148,12 +1148,12 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
 		$(function() {
-			$('#form_devices').submit(function(event) {
+			$('#form_devices').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1241,7 +1241,7 @@ function clearFilter() {
 
 	$hosts = db_fetch_assoc_prepared($sql_query, $sql_params);
 
-	$nav = html_nav_bar('notify_lists.php?action=edit&id=' . get_request_var('id'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 10, __('Devices', 'thold'), 'page', 'main');
+	$nav = html_nav_bar('notify_lists.php?action=edit&id=' . (int)get_request_var('id'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 10, __('Devices', 'thold'), 'page', 'main');
 
 	form_start('notify_lists.php', 'chk');
 
@@ -1387,7 +1387,7 @@ function tholds($header_label) {
 	$limit = ($rows * (intval(get_request_var('page')) - 1)) . ", $rows";
 
 	if (!isempty_request_var('template') && get_request_var('template') != '-1') {
-		$sql_where .= ($sql_where == '' ? '' : ' AND ') . 'td.data_template_id = ' . get_request_var('template');
+		$sql_where .= ($sql_where == '' ? '' : ' AND ') . 'td.data_template_id = ' . (int)get_request_var('template');
 	}
 
 	if (get_request_var('site_id') == '-1') {
@@ -1395,11 +1395,11 @@ function tholds($header_label) {
 	} elseif (get_request_var('site_id') == '0') {
 		$sql_where .= ($sql_where == '' ? '' : ' AND ') . ' h.site_id=0';
 	} elseif (!isempty_request_var('site_id')) {
-		$sql_where .= ($sql_where == '' ? '' : ' AND ') . ' h.site_id=' . get_request_var('site_id');
+		$sql_where .= ($sql_where == '' ? '' : ' AND ') . ' h.site_id=' . (int)get_request_var('site_id');
 	}
 
 	if (strlen(get_request_var('rfilter'))) {
-		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . "td.name_cache RLIKE '" . get_request_var('rfilter') . "'";
+		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . 'td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'));
 	}
 
 	if ($statefilter != '') {
@@ -1407,7 +1407,7 @@ function tholds($header_label) {
 	}
 
 	if (get_request_var('associated') == 'true') {
-		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . '(td.notify_warning=' . get_request_var('id') . ' OR td.notify_alert=' . get_request_var('id') . ')';
+		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . '(td.notify_warning=' . (int)get_request_var('id') . ' OR td.notify_alert=' . (int)get_request_var('id') . ')';
 	}
 
 	$result = get_allowed_thresholds($sql_where, $sort, $limit, $total_rows);
@@ -1507,7 +1507,7 @@ function tholds($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>'
+			strURL  = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&associated=' + $('#associated').is(':checked');
 			strURL += '&state=' + $('#state').val();
 			strURL += '&site_id=' + $('#site_id').val();
@@ -1518,12 +1518,12 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
 		$(function() {
-			$('#listthold').submit(function(event) {
+			$('#listthold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1796,7 +1796,7 @@ function templates($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>'
+			strURL  = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&associated=' + $('#associated').is(':checked');
 			strURL += '&rows=' + $('#rows').val();
 			strURL += '&rfilter=' + base64_encode($('#rfilter').val());
@@ -1804,12 +1804,12 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
 		$(function() {
-			$('#listthold').submit(function(event) {
+			$('#listthold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -2128,7 +2128,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#lists').submit(function(event) {
+			$('#lists').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/notify_queue.php b/notify_queue.php
index 54afa47..e5eee3e 100644
--- a/notify_queue.php
+++ b/notify_queue.php
@@ -331,30 +331,30 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#refresh').click(function() {
+				$('#refresh').on('click', function() {
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#suspend').click(function() {
+				$('#suspend').on('click', function() {
 					strURL = 'notify_queue.php?action=suspend';
 					loadPage(strURL);
 				});
 
-				$('#resume').click(function() {
+				$('#resume').on('click', function() {
 					strURL = 'notify_queue.php?action=resume';
 					loadPage(strURL);
 				});
 
-				$('#purge').click(function() {
+				$('#purge').on('click', function() {
 					strURL = 'notify_queue.php?action=purge';
 					loadPage(strURL);
 				});
 
-				$('#form_notify').submit(function(event) {
+				$('#form_notify').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
diff --git a/setup.php b/setup.php
index e22ca94..98f871a 100644
--- a/setup.php
+++ b/setup.php
@@ -1233,7 +1233,7 @@ function thold_page_head() {
 	<script type='text/javascript'>
 	$(function() {
 		$(document).ajaxComplete(function() {
-			$('.tholdVRule').unbind().click(function(event) {
+			$('.tholdVRule').off().on('click', function(event) {
 				event.preventDefault();
 
 				href = $(this).attr('href');
@@ -1394,14 +1394,14 @@ function thold_device_top() {
 			$('#cdialog').dialog();
 		});
 
-		$('#continue').click(function(data) {
+		$('#continue').on('click', function(data) {
 			$.post('host.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
-				host_id: <?php print get_request_var('host_id'); ?>,
-				id: <?php print get_request_var('id'); ?>
+				host_id: <?php print (int)get_filter_request_var('host_id'); ?>,
+				id: <?php print (int)get_filter_request_var('id'); ?>
 			}).done(function(data) {
 				$('#cdialog').dialog('close');
-				loadPageNoHeader('host.php?action=edit&header=false&id=<?php print get_request_var('host_id'); ?>');
+				loadPageNoHeader('host.php?action=edit&header=false&id=<?php print (int)get_filter_request_var('host_id'); ?>');
 			});
 		});
 		</script>
@@ -1503,15 +1503,13 @@ function thold_device_template_edit() {
 				</table>
 				<script type='text/javascript'>
 				function addThresholdTemplate() {
-					$('#add_tt').click(function() {
-						scrollTop = $(window).scrollTop();
-						$.post('host_templates.php?header=false&action=item_add_tt', {
-							host_template_id: $('#id').val(),
-							thold_template_id: $('#thold_template_id').val(),
-							__csrf_magic: csrfMagicToken})
-						.done(function(data) {
-							loadPageNoHeader(urlPath+'host_templates.php?header=false&action=edit&id='+$('#id').val());
-						});
+					scrollTop = $(window).scrollTop();
+					$.post('host_templates.php?header=false&action=item_add_tt', {
+						host_template_id: $('#id').val(),
+						thold_template_id: $('#thold_template_id').val(),
+						__csrf_magic: csrfMagicToken})
+					.done(function(data) {
+						loadPageNoHeader(urlPath+'host_templates.php?header=false&action=edit&id='+$('#id').val());
 					});
 				}
 				</script>
@@ -1564,14 +1562,14 @@ function thold_device_template_top() {
 			$('#cdialog').dialog();
 		});
 
-	    $('#continue').click(function(data) {
+	    $('#continue').on('click', function(data) {
 			$.post('host_templates.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
-				host_template_id: <?php print get_request_var('host_template_id'); ?>,
-				id: <?php print get_request_var('id'); ?>
+				host_template_id: <?php print (int)get_filter_request_var('host_template_id'); ?>,
+				id: <?php print (int)get_filter_request_var('id'); ?>
 			}).done(function(data) {
 				$('#cdialog').dialog('close');
-				loadPageNoHeader('host_templates.php?action=edit&header=false&id=<?php print get_request_var('host_template_id'); ?>');
+				loadPageNoHeader('host_templates.php?action=edit&header=false&id=<?php print (int)get_filter_request_var('host_template_id'); ?>');
 			});
 		});
 		</script>
diff --git a/tests/Integration/test_notify_list_wiring.php b/tests/Integration/test_notify_list_wiring.php
new file mode 100644
index 0000000..5d492fe
--- /dev/null
+++ b/tests/Integration/test_notify_list_wiring.php
@@ -0,0 +1,24 @@
+<?php
+
+$source = file_get_contents(dirname(__DIR__, 2) . '/notify_lists.php');
+
+if ($source === false) {
+	fwrite(STDERR, "Unable to read notify_lists.php\n");
+	exit(1);
+}
+
+$checks = array(
+	"id=<?php print (int)get_filter_request_var('id'); ?>",
+	"'notify_lists.php?action=edit&id=' . (int)get_request_var('id')",
+	"<input type='hidden' name='id' value='\" . html_escape(get_request_var('id')) . \"'>",
+	"<input type='hidden' name='drp_action' value='\" . html_escape(get_request_var('drp_action')) . \"'>",
+);
+
+foreach ($checks as $needle) {
+	if (strpos($source, $needle) === false) {
+		fwrite(STDERR, "Missing expected notify list wiring\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";
diff --git a/tests/Unit/test_notify_list_security_guards.php b/tests/Unit/test_notify_list_security_guards.php
new file mode 100644
index 0000000..1b7d86f
--- /dev/null
+++ b/tests/Unit/test_notify_list_security_guards.php
@@ -0,0 +1,26 @@
+<?php
+
+$source = file_get_contents(dirname(__DIR__, 2) . '/notify_lists.php');
+
+if ($source === false) {
+	fwrite(STDERR, "Unable to read notify_lists.php\n");
+	exit(1);
+}
+
+$needles = array(
+	"html_escape(get_request_var('drp_action'))",
+	"html_escape(get_request_var('id'))",
+	"'td.data_template_id = ' . (int)get_request_var('template')",
+	"' h.site_id=' . (int)get_request_var('site_id')",
+	"'td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'))",
+	"'(td.notify_warning=' . (int)get_request_var('id') . ' OR td.notify_alert=' . (int)get_request_var('id') . ')'",
+);
+
+foreach ($needles as $needle) {
+	if (strpos($source, $needle) === false) {
+		fwrite(STDERR, "Missing expected notify list guard\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";
diff --git a/tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php b/tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php
new file mode 100644
index 0000000..2207948
--- /dev/null
+++ b/tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php
@@ -0,0 +1,26 @@
+<?php
+
+$source = file_get_contents(dirname(__DIR__, 2) . '/notify_lists.php');
+
+if ($source === false) {
+	fwrite(STDERR, "Unable to read notify_lists.php\n");
+	exit(1);
+}
+
+$legacy = array(
+	"<input type='hidden' name='drp_action' value='\" . get_request_var('drp_action') . \"'>",
+	"<input type='hidden' name='id' value='\" . get_request_var('id') . \"'>",
+	"td.name_cache RLIKE '\" . get_request_var('rfilter') . \"'",
+	"'td.data_template_id = ' . get_request_var('template')",
+	"' h.site_id=' . get_request_var('site_id')",
+	"'(td.notify_warning=' . get_request_var('id') . ' OR td.notify_alert=' . get_request_var('id') . ')'",
+);
+
+foreach ($legacy as $needle) {
+	if (strpos($source, $needle) !== false) {
+		fwrite(STDERR, "Found legacy insecure notify list pattern\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";
diff --git a/thold.php b/thold.php
index a098e3c..1cae7ea 100644
--- a/thold.php
+++ b/thold.php
@@ -784,7 +784,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#thold').submit(function(event) {
+			$('#thold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/thold_graph.php b/thold_graph.php
index 97a61af..f2c2fd7 100644
--- a/thold_graph.php
+++ b/thold_graph.php
@@ -251,7 +251,7 @@ function form_thold_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' id='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
 			<input type='hidden' id='tab' value='thold'>
 		</form>
 		<script type='text/javascript'>
@@ -274,7 +274,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#thold').submit(function(event) {
+			$('#thold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1261,7 +1261,7 @@ function form_host_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' name='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' name='page' value='<?php print html_escape_request_var('page'); ?>'>
 			<input type='hidden' name='tab' value='hoststat'>
 		</form>
 		<script type='text/javascript'>
@@ -1282,7 +1282,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#form_devices').submit(function(event) {
+			$('#form_devices').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1763,7 +1763,7 @@ function exportLog() {
 		}
 
 		$(function() {
-			$('#form_log').submit(function(event) {
+			$('#form_log').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/thold_process.php b/thold_process.php
index c0f4b5b..54a96a2 100644
--- a/thold_process.php
+++ b/thold_process.php
@@ -162,7 +162,7 @@
 				$item = [];
 
 				if (substr($thold_data['rrd_reindexed'], 0, 1) == 'a') {
-					$rrd_reindexed[$thold_data['local_data_id']] = cacti_unserialize($thold_data['rrd_reindexed']);
+					$rrd_reindexed[$thold_data['local_data_id']] = cacti_unserialize($thold_data['rrd_reindexed'], array('allowed_classes' => false));
 				} else {
 					$rrd_reindexed[$thold_data['local_data_id']] = json_decode($thold_data['rrd_reindexed'], true);
 				}
diff --git a/thold_templates.php b/thold_templates.php
index 1590247..aa2e715 100644
--- a/thold_templates.php
+++ b/thold_templates.php
@@ -565,7 +565,7 @@ function applyFilter(type) {
 		}
 
 		$(function() {
-			$('#go').button().click(function() {
+			$('#go').button().on('click', function() {
 				strURL = $('#tholdform').attr('action');
 				json   = $('input, select').serializeObject();
 				loadPageUsingPost(strURL, json);
@@ -2201,7 +2201,7 @@ function importTemplate() {
 			}
 
 			$(function() {
-				$('#listthold').submit(function(event) {
+				$('#listthold').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
@@ -2566,7 +2566,7 @@ function thold_form_end($ajax = true) {
 	if ($ajax) { ?>
 		<script type='text/javascript'>
 		$(function() {
-			$('#<?php print $form_id; ?>').submit(function(event) {
+			$('#<?php print $form_id; ?>').on('submit', function(event) {
 				if ($('#drp_action').val() != '1') {
 					event.preventDefault();
 					strURL  = '<?php print $form_action; ?>';
diff --git a/thold_webapi.php b/thold_webapi.php
index b42e8c1..d443db8 100644
--- a/thold_webapi.php
+++ b/thold_webapi.php
@@ -839,7 +839,7 @@ function applyTholdFilter() {
 	$(function() {
 		if ($('#type_id').val() == 'template') {
 			$('#submit').prev().hide();
-			$('#submit').off().click(function(event) {
+			$('#submit').off().on('click', function(event) {
 				event.preventDefault();
 
 				json = $('input, select').serializeObject();
@@ -861,7 +861,7 @@ function applyTholdFilter() {
 function thold_new_graphs_save($host_id) {
 	$return_array = false;
 
-	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')));
+	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')), array('allowed_classes' => false));
 
 	$values = [];