diff --git a/Puc/v5p6/Autoloader.php b/Puc/v5p6/Autoloader.php
index 499b483..0d1357d 100644
--- a/Puc/v5p6/Autoloader.php
+++ b/Puc/v5p6/Autoloader.php
@@ -66,21 +66,33 @@ private static function isPhar() {
 		}
 
 		public function autoload($className) {
-			if ( isset($this->staticMap[$className]) && file_exists($this->libraryDir . $this->staticMap[$className]) ) {
-				include($this->libraryDir . $this->staticMap[$className]);
-				return;
+			if (isset($this->staticMap[$className])) {
+				$file = $this->libraryDir . $this->staticMap[$className];
+				$realFile = realpath($file);
+				$realBase = realpath($this->libraryDir);
+
+				// Check file exists and is inside libraryDir
+				if ($realFile && strpos($realFile, $realBase) === 0 && file_exists($realFile)) {
+					include $realFile;
+					return;
+				}
 			}
 
-			if ( strpos($className, $this->prefix) === 0 ) {
+			if (strpos($className, $this->prefix) === 0) {
 				$path = substr($className, strlen($this->prefix));
 				$path = str_replace(array('_', '\\'), '/', $path);
-				$path = $this->rootDir . $path . '.php';
+				$file = $this->rootDir . $path . '.php';
+
+				$realFile = realpath($file);
+				$realBase = realpath($this->rootDir);
 
-				if ( file_exists($path) ) {
-					include $path;
+				// Ensure the file is inside rootDir and exists
+				if ($realFile && strpos($realFile, $realBase) === 0 && file_exists($realFile)) {
+					include $realFile;
 				}
 			}
 		}
+
 	}
 
 endif;
diff --git a/Puc/v5p6/DebugBar/Panel.php b/Puc/v5p6/DebugBar/Panel.php
index 77d2227..2dc46c3 100644
--- a/Puc/v5p6/DebugBar/Panel.php
+++ b/Puc/v5p6/DebugBar/Panel.php
@@ -41,11 +41,11 @@ private function displayConfiguration() {
 			echo '<h3>Configuration</h3>';
 			echo '<table class="puc-debug-data">';
 			$this->displayConfigHeader();
-			$this->row('Slug', htmlentities($this->updateChecker->slug));
-			$this->row('DB option', htmlentities($this->updateChecker->optionName));
+			$this->row('Slug', htmlentities($this->updateChecker->slug, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
+			$this->row('DB option', htmlentities($this->updateChecker->optionName, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
 
 			$requestInfoButton = $this->getMetadataButton();
-			$this->row('Metadata URL', htmlentities($this->updateChecker->metadataUrl) . ' ' . $requestInfoButton . $this->responseBox);
+			$this->row('Metadata URL', htmlentities($this->updateChecker->metadataUrl, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8') . ' ' . $requestInfoButton . $this->responseBox);
 
 			$scheduler = $this->updateChecker->scheduler;
 			if ( $scheduler->checkPeriod > 0 ) {
@@ -115,10 +115,10 @@ private function displayStatus() {
 			$this->row('Next automatic check', $this->formatTimeWithDelta($nextCheck));
 
 			if ( $state->getCheckedVersion() !== '' ) {
-				$this->row('Checked version', htmlentities($state->getCheckedVersion()));
+				$this->row('Checked version', htmlentities($state->getCheckedVersion(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
 				$this->row('Cached update', $state->getUpdate());
 			}
-			$this->row('Update checker class', htmlentities(get_class($this->updateChecker)));
+			$this->row('Update checker class', htmlentities(get_class($this->updateChecker), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
 			echo '</table>';
 		}
 
@@ -132,7 +132,7 @@ private function displayCurrentUpdate() {
 					if ( property_exists($update, $field) ) {
 						$this->row(
 							ucwords(str_replace('_', ' ', $field)),
-							isset($update->$field) ? htmlentities($update->$field) : null
+							isset($update->$field) ? htmlentities($update->$field, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8') : null
 						);
 					}
 				}
@@ -170,7 +170,7 @@ public function row($name, $value) {
 			if ( is_object($value) || is_array($value) ) {
 				//This is specifically for debugging, so print_r() is fine.
 				//phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
-				$value = '<pre>' . htmlentities(print_r($value, true)) . '</pre>';
+				$value = '<pre>' . htmlentities(print_r($value, true), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8') . '</pre>';
 			} else if ($value === null) {
 				$value = '<code>null</code>';
 			}
diff --git a/Puc/v5p6/DebugBar/PluginPanel.php b/Puc/v5p6/DebugBar/PluginPanel.php
index 58f2ee9..b7d5ed6 100644
--- a/Puc/v5p6/DebugBar/PluginPanel.php
+++ b/Puc/v5p6/DebugBar/PluginPanel.php
@@ -12,7 +12,7 @@ class PluginPanel extends Panel {
 		protected $updateChecker;
 
 		protected function displayConfigHeader() {
-			$this->row('Plugin file', htmlentities($this->updateChecker->pluginFile));
+			$this->row('Plugin file', htmlentities($this->updateChecker->pluginFile, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
 			parent::displayConfigHeader();
 		}
 
diff --git a/Puc/v5p6/DebugBar/ThemePanel.php b/Puc/v5p6/DebugBar/ThemePanel.php
index 2ffdbf0..005fc84 100644
--- a/Puc/v5p6/DebugBar/ThemePanel.php
+++ b/Puc/v5p6/DebugBar/ThemePanel.php
@@ -13,7 +13,7 @@ class ThemePanel extends Panel {
 		protected $updateChecker;
 
 		protected function displayConfigHeader() {
-			$this->row('Theme directory', htmlentities($this->updateChecker->directoryName));
+			$this->row('Theme directory', htmlentities($this->updateChecker->directoryName, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
 			parent::displayConfigHeader();
 		}
 
diff --git a/Puc/v5p6/Plugin/Ui.php b/Puc/v5p6/Plugin/Ui.php
index eee0f22..12bfd43 100644
--- a/Puc/v5p6/Plugin/Ui.php
+++ b/Puc/v5p6/Plugin/Ui.php
@@ -187,7 +187,7 @@ public function handleManualCheck() {
 					}
 				}
 
-				wp_redirect(add_query_arg(
+				wp_safe_redirect(add_query_arg(
 					array(
 						'puc_update_check_result' => $status,
 						'puc_slug'                => $this->updateChecker->slug,
diff --git a/Puc/v5p6/PucFactory.php b/Puc/v5p6/PucFactory.php
index 2515f97..8acd157 100644
--- a/Puc/v5p6/PucFactory.php
+++ b/Puc/v5p6/PucFactory.php
@@ -86,7 +86,7 @@ public static function buildUpdateChecker($metadataUrl, $fullPath, $slug = '', $
 				throw new \RuntimeException(sprintf(
 					'The update checker cannot determine if "%s" is a plugin or a theme. ' .
 					'This is a bug. Please contact the PUC developer.',
-					htmlentities($fullPath)
+					htmlentities($fullPath, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8')
 				));
 			}
 
@@ -239,7 +239,7 @@ private static function getServiceURI($fullPath) {
 
 			//URI was not found so throw an error.
 			throw new \RuntimeException(
-				sprintf('Unable to locate URI in header of "%s"', htmlentities($fullPath))
+				sprintf('Unable to locate URI in header of "%s"', htmlentities($fullPath, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'))
 			);
 		}
 
diff --git a/Puc/v5p6/UpdateChecker.php b/Puc/v5p6/UpdateChecker.php
index 31b83c9..d18c248 100644
--- a/Puc/v5p6/UpdateChecker.php
+++ b/Puc/v5p6/UpdateChecker.php
@@ -1044,7 +1044,7 @@ public function fixDirectoryName($source, $remoteSource, $upgrader) {
 								sprintf(
 									'The directory structure of the update was incorrect. All files should be inside ' .
 									'a directory named <span class="code">%s</span>, not at the root of the ZIP archive. Plugin Update Checker tried to fix the directory structure, but failed.',
-									htmlentities($this->slug)
+									htmlentities($this->slug, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8')
 								)
 							);
 						}