diff --git a/.gitignore b/.gitignore
index 6621d40..f857b7e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@
 .git*
 
 locales/po/*.mo
+.omc/
diff --git a/functions.php b/functions.php
index c3627e0..e44a96c 100644
--- a/functions.php
+++ b/functions.php
@@ -98,7 +98,7 @@ function graph_export($id = 0, $force = false) {
 			db_execute_prepared('UPDATE graph_exports
 				SET last_checked = NOW()
 				WHERE id = ?',
-				array($export['id']));
+				[$export['id']]);
 
 			$runnow = false;
 			if (!$force) {
@@ -108,7 +108,7 @@ function graph_export($id = 0, $force = false) {
 
 					db_execute_prepared('UPDATE graph_exports
 						SET next_start = ? WHERE id = ?',
-						array($next_start, $export['id']));
+						[$next_start, $export['id']]);
 				}
 			} else {
 				$runnow = true;
@@ -207,7 +207,7 @@ function run_export(&$export) {
 		export_pre_ftp_upload($export, $stExportDir);
 
 		export_log('Using ncftpput.');
-		export_ftp_ncftpput_execute($export, $stExportDir);
+		export_ftp_ncftpput_execute($stExportDir);
 		export_post_ftp_upload($export, $stExportDir);
 
 		break;
@@ -253,7 +253,7 @@ function run_export(&$export) {
 		export_fatal($export, 'Export method not specified. Exporting can not continue.  Please set method properly in Cacti configuration.');
 	}
 
-	db_execute_prepared('UPDATE graph_exports SET export_pid = 0 WHERE id = ?', array($export['id']));
+	db_execute_prepared('UPDATE graph_exports SET export_pid = 0 WHERE id = ?', [$export['id']]);
 
 	config_export_stats($export, $exported);
 }
@@ -263,7 +263,7 @@ function export_rsync_execute(&$export, $stExportDir) {
 	$user   = $export['export_user'];
 	$port   = $export['export_port'];
 	$host   = $export['export_host'];
-	$output = array();
+	$output = [];
 	$prune  = '';
 	$retvar = 0;
 
@@ -340,7 +340,7 @@ function export_scp_execute(&$export, $stExportDir) {
 	$user   = $export['export_user'];
 	$port   = $export['export_port'];
 	$host   = $export['export_host'];
-	$output = array();
+	$output = [];
 	$retvar = 0;
 
 	if ($export['export_private_key_path'] != '') {
@@ -444,9 +444,9 @@ function config_export_stats(&$export, $exported) {
 	db_execute_prepared('UPDATE graph_exports
 		SET last_runtime = ?, total_graphs = ?, last_ended=NOW(), status=0
 		WHERE id = ?',
-		array($end - $start, $exported, $export['id']));
+		[$end - $start, $exported, $export['id']]);
 
-	db_execute_prepared(sprintf("REPLACE INTO settings (name,value) values ('stats_export_%s', ?)", $export['id']), array($export_stats));
+	db_execute_prepared(sprintf("REPLACE INTO settings (name,value) values ('stats_export_%s', ?)", $export['id']), [$export_stats]);
 }
 
 /* export_fatal - a simple export logging function that indicates a
@@ -460,7 +460,7 @@ function export_fatal(&$export, $stMessage) {
 	db_execute_prepared('UPDATE graph_exports
 		SET last_error = ?, last_ended=NOW(), last_errored=NOW(), status=2
 		WHERE id = ?',
-		array($stMessage, $export['id']));
+		[$stMessage, $export['id']]);
 
 	exit;
 }
@@ -558,7 +558,7 @@ function check_cacti_paths(&$export, $export_path) {
 
 	/* check for bad directories within the cacti path */
 	if (strcasecmp($root_path, $export_path) < 0) {
-		$cacti_system_paths = array(
+		$cacti_system_paths = [
 			'include',
 			'lib',
 			'install',
@@ -567,7 +567,7 @@ function check_cacti_paths(&$export, $export_path) {
 			'scripts',
 			'plugins',
 			'images',
-			'resource');
+			'resource'];
 
 		foreach($cacti_system_paths as $cacti_system_path) {
 			if (substr_count(strtolower($export_path), strtolower($cacti_system_path)) > 0) {
@@ -591,7 +591,7 @@ function check_cacti_paths(&$export, $export_path) {
 
 function check_system_paths(&$export, $export_path) {
 	/* don't allow to export to system paths */
-	$system_paths = array(
+	$system_paths = [
 		'/boot',
 		'/lib',
 		'/usr',
@@ -606,7 +606,7 @@ function check_system_paths(&$export, $export_path) {
 		'/etc',
 		'windows',
 		'winnt',
-		'program files');
+		'program files'];
 
 	foreach($system_paths as $system_path) {
 		if (substr($system_path, 0, 1) == '/') {
@@ -676,16 +676,16 @@ function export_graphs(&$export, $export_path) {
 	$sites      = $export['graph_site'];
 	$export_id  = $export['id'];
 
-	$ntree      = array();
-	$graphs     = array();
-	$ngraph     = array();
+	$ntree      = [];
+	$graphs     = [];
+	$ngraph     = [];
 
 	$limit      = 1000;
 	$sql_where  = '';
 	$hosts      = '';
 	$total_rows = 0;
 	$exported   = 0;
-	$metadata   = array();
+	$metadata   = [];
 
 	if ($user == 0) {
 		$user = -1;
@@ -792,7 +792,7 @@ function export_graphs(&$export, $export_path) {
 					SET last_error="WARNING: Max number of Graphs ' . $export['graph_max'] . ' reached",
 					last_errored=NOW()
 					WHERE id = ?',
-					array($export['id']));
+					[$export['id']]);
 
 				break;
 			}
@@ -807,9 +807,21 @@ function export_graphs(&$export, $export_path) {
 }
 
 function delTree($dir, $skip = false) {
-	$files = array_diff(scandir($dir), array('.','..'));
+	$dir = realpath($dir);
+	if ($dir === false) {
+		return false;
+	}
+
+	$files = array_diff(scandir($dir), ['.','..']);
 	foreach ($files as $file) {
-		(is_dir("$dir/$file") && !is_link($dir)) ? delTree("$dir/$file") : unlink("$dir/$file");
+		$path = "$dir/$file";
+		if (is_link($path)) {
+			unlink($path);
+		} elseif (is_dir($path)) {
+			delTree($path);
+		} else {
+			unlink($path);
+		}
 	}
 	return ($skip ? 0 : rmdir($dir));
 }
@@ -875,7 +887,7 @@ function export_graph_monitor_tasks($export) {
 						WHERE status = 1
 						AND id = ?
 						AND pid = ?',
-						array($id, $pid));
+						[$id, $pid]);
 					$thread_adj--;
 				}
 			}
@@ -920,7 +932,7 @@ function export_graph_prepare_task($export_id, $user, $folder, $local_graph_id)
 
 	// MJV: Do something here
 	db_execute_prepared('INSERT INTO graph_exports_tasks (export_id, local_graph_id, user, folder)
-		VALUES (?, ?, ?, ?)', array($export_id, $local_graph_id, $user, $folder));
+		VALUES (?, ?, ?, ?)', [$export_id, $local_graph_id, $user, $folder]);
 }
 
 function export_graph_start_task($task_id) {
@@ -930,7 +942,7 @@ function export_graph_start_task($task_id) {
 
 	$task = db_fetch_row_prepared('SELECT * FROM graph_exports_tasks
 		WHERE id = ?',
-		array($task_id));
+		[$task_id]);
 
 	if (!sizeof($task)) {
 		export_warn('TASKS Launched ' . $task_id . ' - Invalid ID, Aborting');
@@ -944,14 +956,14 @@ function export_graph_start_task($task_id) {
 
 		$export = db_fetch_row_prepared('SELECT * FROM graph_exports
 			WHERE id = ?',
-			array($task['export_id']));
+			[$task['export_id']]);
 
 		$exports = export_graph_files($export, $task['user'], $task['folder'], $task['local_graph_id']);
 
 		db_execute_prepared('UPDATE graph_exports_tasks
 			SET status = 2
 			WHERE id = ?',
-			array($task['id']));
+			[$task['id']]);
 	}
 	$end = microtime(true);
 
@@ -1207,6 +1219,12 @@ function export_ftp_php_uploaddir($dir, $oFtpConnection) {
 function export_ftp_ncftpput_execute($stExportDir) {
 	global $aFtpExport;
 
+	$stExportDir = realpath($stExportDir);
+	if ($stExportDir === false) {
+		cacti_log('ERROR: Export directory does not exist for ncftpput', true, 'EXPORT');
+		return;
+	}
+
 	chdir($stExportDir);
 
 	/* set the initial command structure */
@@ -1224,7 +1242,7 @@ function export_ftp_ncftpput_execute($stExportDir) {
 	$iExecuteReturns = 0;
 	system($stExecute, $iExecuteReturns);
 
-	$aNcftpputStatusCodes = array (
+	$aNcftpputStatusCodes = [
 		'Success.',
 		'Could not connect to remote host.',
 		'Could not connect to remote host - timed out.',
@@ -1236,7 +1254,7 @@ function export_ftp_ncftpput_execute($stExportDir) {
 		'Usage error.',
 		'Error in login configuration file.',
 		'Library initialization failed.',
-		'Session initialization failed.');
+		'Session initialization failed.'];
 
 	export_log('Ncftpput returned: ' . $aNcftpputStatusCodes[$iExecuteReturns]);
 }
@@ -1281,9 +1299,17 @@ function export_post_ftp_upload(&$export, $stExportDir) {
    @arg $user         - the effective user to use for export, -1 indicates no permission check
    @arg $export_path  - the location to store the json array configuration file */
 function write_branch_conf($tree_site_id, $branch_id, $type, $host_id, $sub_id, $user, $export_path) {
-	static $json_files = array();
+	static $json_files = [];
 	$total_rows  = 0;
-	$graph_array = array();
+	$graph_array = [];
+
+	$export_path   = realpath($export_path);
+	if ($export_path === false) {
+		return 0;
+	}
+	$tree_site_id  = (int) $tree_site_id;
+	$branch_id     = (int) $branch_id;
+	$host_id       = (int) $host_id;
 
 	if ($type == 'branch') {
 		$json_file = $export_path . '/tree_' . $tree_site_id . '_branch_' . $branch_id . '.json';
@@ -1295,47 +1321,55 @@ function write_branch_conf($tree_site_id, $branch_id, $type, $host_id, $sub_id,
 			WHERE graph_tree_id = ?
 			AND parent = ?
 			AND local_graph_id > 0
-			ORDER BY position', array($tree_site_id, $branch_id));
+			ORDER BY position', [$tree_site_id, $branch_id]);
 	} elseif ($type == 'gtbranch') {
 		$json_file = $export_path . '/site_' . $tree_site_id . '_gtbranch_0.json';
 
 		if (isset($json_files[$json_file])) return;
 
-		$graphs = array();
+		$graphs = [];
 	} elseif ($type == 'dqbranch') {
 		$json_file = $export_path . '/site_' . $tree_site_id . '_gtbranch_0.json';
 
 		if (isset($json_files[$json_file])) return;
 
-		$graphs = array();
+		$graphs = [];
 	} elseif ($type == 'site') {
 		$json_file = $export_path . '/site_' . $tree_site_id . '.json';
 
 		if (isset($json_files[$json_file])) return;
 
-		$graphs = array();
+		$graphs = [];
 	} elseif ($type == 'site_dt') {
 		$json_file = $export_path . '/site_' . $tree_site_id . '_dt_' . $sub_id . '.json';
 
 		if (isset($json_files[$json_file])) return;
 
-		$graphs = array();
+		$graphs = [];
 	} elseif ($type == 'site_gt') {
 		$json_file = $export_path . '/site_' . $tree_site_id . '_gt_' . $sub_id . '.json';
 
 		if (isset($json_files[$json_file])) return;
 
-		$devices = array_rekey(db_fetch_assoc_prepared('SELECT id FROM host WHERE site_id = ?', array($tree_site_id)), 'id', 'id');
+		$devices = array_rekey(db_fetch_assoc_prepared('SELECT id FROM host WHERE site_id = ?', [$tree_site_id]), 'id', 'id');
 
-		$graphs = get_allowed_graphs('(gl.host_id IN(' . implode(',', $devices) . ') AND gt.id = ' . $sub_id . ')', 'gtg.title_cache', '', $total_rows, $user);
+		if (empty($devices)) {
+			$graphs = [];
+		} else {
+			$graphs = get_allowed_graphs('(gl.host_id IN(' . implode(',', $devices) . ') AND gt.id = ' . $sub_id . ')', 'gtg.title_cache', '', $total_rows, $user);
+		}
 	} elseif ($type == 'site_dq') {
 		$json_file = $export_path . '/site_' . $tree_site_id . '_dq_' . $sub_id . '.json';
 
 		if (isset($json_files[$json_file])) return;
 
-		$devices = array_rekey(db_fetch_assoc_prepared('SELECT id FROM host WHERE site_id = ?', array($tree_site_id)), 'id', 'id');
+		$devices = array_rekey(db_fetch_assoc_prepared('SELECT id FROM host WHERE site_id = ?', [$tree_site_id]), 'id', 'id');
 
-		$graphs = get_allowed_graphs('(gl.host_id IN(' . implode(',', $devices) . ') AND gl.snmp_query_id = ' . $sub_id . ')', 'gtg.title_cache', '', $total_rows, $user);
+		if (empty($devices)) {
+			$graphs = [];
+		} else {
+			$graphs = get_allowed_graphs('(gl.host_id IN(' . implode(',', $devices) . ') AND gl.snmp_query_id = ' . $sub_id . ')', 'gtg.title_cache', '', $total_rows, $user);
+		}
 	} elseif ($type == 'site_dqi') {
 		$parts   = explode(':', $sub_id);
 		$dq      = $parts[0];
@@ -1346,7 +1380,7 @@ function write_branch_conf($tree_site_id, $branch_id, $type, $host_id, $sub_id,
 
 		if (isset($json_files[$json_file])) return;
 
-		$devices = array_rekey(db_fetch_assoc_prepared('SELECT id FROM host WHERE site_id = ?', array($tree_site_id)), 'id', 'id');
+		$devices = array_rekey(db_fetch_assoc_prepared('SELECT id FROM host WHERE site_id = ?', [$tree_site_id]), 'id', 'id');
 
 		$sql_where = '';
 		if (is_array($values) && cacti_sizeof($values)) {
@@ -1358,7 +1392,11 @@ function write_branch_conf($tree_site_id, $branch_id, $type, $host_id, $sub_id,
 			$sql_where .= ')';
 		}
 
-		$graphs = get_allowed_graphs('(gl.host_id IN(' . implode(',', $devices) . ') AND gl.snmp_query_id=' . $dq . $sql_where . ')', 'gtg.title_cache', '', $total_rows, $user);
+		if (empty($devices)) {
+			$graphs = [];
+		} else {
+			$graphs = get_allowed_graphs('(gl.host_id IN(' . implode(',', $devices) . ') AND gl.snmp_query_id=' . $dq . $sql_where . ')', 'gtg.title_cache', '', $total_rows, $user);
+		}
 	} elseif ($type == 'host') {
 		$json_file = $export_path . '/host_' . $host_id . '.json';
 
@@ -1411,7 +1449,7 @@ function write_branch_conf($tree_site_id, $branch_id, $type, $host_id, $sub_id,
 
 	$json_files[$json_file] = true;
 
-	return cacti_sizeof($graph_array);;
+	return cacti_sizeof($graph_array);
 }
 
 /* export_generate_tree_html - create jstree compatible static tree html.  This is a
@@ -1441,7 +1479,7 @@ function export_generate_tree_html($export_path, $tree, $parent, $expand_hosts,
 		AND host_id = 0
 		AND graph_tree_id = ?
 		AND parent = ?',
-		array($tree['id'], $parent));
+		[$tree['id'], $parent]);
 
 	if (cacti_sizeof($branches)) {
 		foreach($branches as $branch) {
@@ -1452,7 +1490,7 @@ function export_generate_tree_html($export_path, $tree, $parent, $expand_hosts,
 				WHERE graph_tree_id = ?
 				AND local_graph_id = 0
 				AND parent = ?',
-				array($tree['id'], $branch['id']));
+				[$tree['id'], $branch['id']]);
 
 			$jstree .= str_repeat("\t", $depth) . '<li id="tree_' . $tree['id'] . '_branch_' . $branch['id'] . '">' . $branch['title'];
 
@@ -1475,7 +1513,7 @@ function export_generate_tree_html($export_path, $tree, $parent, $expand_hosts,
 		WHERE graph_tree_id = ?
 		AND parent = ?
 		AND host_id > 0
-		ORDER BY position', array($tree['id'], $parent));
+		ORDER BY position', [$tree['id'], $parent]);
 
 	if (cacti_sizeof($hosts)) {
 		foreach($hosts as $host) {
@@ -1519,7 +1557,7 @@ function export_generate_tree_html($export_path, $tree, $parent, $expand_hosts,
 								INNER JOIN host_snmp_query AS hsq
 								ON sq.id=hsq.snmp_query_id
 								WHERE hsq.host_id = ?',
-								array($host['host_id']));
+								[$host['host_id']]);
 
 							$data_queries[] = array('id' => '0', 'name' => __('Non Query Based', 'gexport'));
 
@@ -1543,9 +1581,9 @@ function export_generate_tree_html($export_path, $tree, $parent, $expand_hosts,
 										FROM graph_local AS gl
 										WHERE host_id = ?
 										AND snmp_query_id = ?',
-										array($host['host_id'], $query['id']));
+										[$host['host_id'], $query['id']]);
 
-									$dqi = array();
+									$dqi = [];
 									foreach($graphs as $graph) {
 										$dqi[$graph['snmp_index']] = $graph['snmp_index'];
 									}
@@ -1621,7 +1659,7 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 		FROM host_template AS dt
 		INNER JOIN host AS h
 		ON h.host_template_id=dt.id
-		WHERE h.site_id = ?', array($site['id']));
+		WHERE h.site_id = ?', [$site['id']]);
 
 	if (cacti_sizeof($device_templates)) {
 		foreach($device_templates as $branch) {
@@ -1638,7 +1676,7 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 				WHERE site_id = ?
 				AND host_template_id = ?
 				ORDER BY description',
-				array($site['id'], $branch['id']));
+				[$site['id'], $branch['id']]);
 
 			if (cacti_sizeof($hosts)) {
 				foreach($hosts as $host) {
@@ -1682,7 +1720,7 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 										INNER JOIN host_snmp_query AS hsq
 										ON sq.id=hsq.snmp_query_id
 										WHERE hsq.host_id = ?',
-										array($host['host_id']));
+										[$host['host_id']]);
 
 									$data_queries[] = array('id' => '0', 'name' => __('Non Query Based', 'gexport'));
 
@@ -1706,9 +1744,9 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 												FROM graph_local AS gl
 												WHERE host_id = ?
 												AND snmp_query_id = ?',
-												array($host['host_id'], $query['id']));
+												[$host['host_id'], $query['id']]);
 
-											$dqi = array();
+											$dqi = [];
 											foreach($graphs as $graph) {
 												$dqi[$graph['snmp_index']] = $graph['snmp_index'];
 											}
@@ -1765,7 +1803,7 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 		INNER JOIN host AS h
 		ON h.id = gl.host_id
 		WHERE h.site_id = ?
-		ORDER BY gt.name', array($site['id']));
+		ORDER BY gt.name', [$site['id']]);
 
 	if (cacti_sizeof($graph_templates)) {
 		$jstree .= str_repeat("\t", $depth) . "<li id='site_" . $site['id'] . "_gtbranch_0' data-jstree='{ \"type\" : \"graph_template_anchor\" }'>" . __('Graph Templates', 'gexport') . "\n";
@@ -1794,7 +1832,7 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 		ON dq.id=gl.snmp_query_id
 		INNER JOIN host AS h
 		ON h.id = gl.host_id
-		WHERE h.site_id = ?', array($site['id']));
+		WHERE h.site_id = ?', [$site['id']]);
 
 	if (cacti_sizeof($data_queries)) {
 		$jstree .= str_repeat("\t", $depth) . "<li id='site_" . $site['id'] . "_dqbranch_0' data-jstree='{ \"type\" : \"data_query_anchor\" }'>" . __('Data Queries', 'gexport') . "\n";
@@ -1820,11 +1858,11 @@ function export_generate_site_html($export_path, $site, $parent, $expand_hosts,
 					ON gl.host_id=h.id
 					WHERE h.site_id = ?
 					AND snmp_query_id = ?',
-					array($site['id'], $branch['id']));
+					[$site['id'], $branch['id']]);
 
-				$sort_field_data = array();
+				$sort_field_data = [];
 
-				$dqi = array();
+				$dqi = [];
 				foreach($graphs as $graph) {
 					if (!isset($sort_field_data[$graph['host_id']])) {
 						$sort_field_data[$graph['host_id']] = get_formatted_data_query_indexes($graph['host_id'], $branch['id']);
@@ -1882,9 +1920,9 @@ function tree_site_export(&$export, $export_path) {
 	$jstree    .= str_repeat("\t", 5) . "var theme='" . $export['export_theme'] . "';\n";
 	$jstree    .= str_repeat("\t", 4) . "</script>\n";
 
-	$jstree    .= str_repeat("\t", 4) . "<div id='jstree'><ul>\n";;
+	$jstree    .= str_repeat("\t", 4) . "<div id='jstree'><ul>\n";
 	$user       = $export['export_effective_user'];
-	$ntree      = array();
+	$ntree      = [];
 	$sql_where  = '';
 	$total_rows = 0;
 	$parent     = 0;
@@ -1904,7 +1942,7 @@ function tree_site_export(&$export, $export_path) {
 
 		if (cacti_sizeof($trees)) {
 			foreach($trees as $tree) {
-				$jstree .= str_repeat("\t", 4) . "<li id='tree_" . $tree['id'] . "' data-jstree='{ \"type\" : \"tree\" }'>" . get_tree_name($tree['id']) . "\n";;
+				$jstree .= str_repeat("\t", 4) . "<li id='tree_" . $tree['id'] . "' data-jstree='{ \"type\" : \"tree\" }'>" . get_tree_name($tree['id']) . "\n";
 				$jstree = export_generate_tree_html($export_path, $tree, $parent, $export['export_expand_hosts'], $user, $jstree);
 				$jstree .= str_repeat("\t", 4) . "</li>\n";
 			}
@@ -1920,10 +1958,10 @@ function tree_site_export(&$export, $export_path) {
 
 		if (cacti_sizeof($sites)) {
 			foreach($sites as $site_id) {
-				$site_data = db_fetch_row_prepared('SELECT * FROM sites WHERE id = ?', array($site_id));
+				$site_data = db_fetch_row_prepared('SELECT * FROM sites WHERE id = ?', [$site_id]);
 
 				if (cacti_sizeof($site_data)) {
-					$jstree .= str_repeat("\t", 4) . "<li id='site_" . $site_id . "' data-jstree='{ \"type\" : \"site\" }'>" . $site_data['name'] . "\n";;
+					$jstree .= str_repeat("\t", 4) . "<li id='site_" . $site_id . "' data-jstree='{ \"type\" : \"site\" }'>" . $site_data['name'] . "\n";
 					$jstree  = export_generate_site_html($export_path, $site_data, $parent, $export['export_expand_hosts'], $user, $jstree);
 					$jstree .= str_repeat("\t", 4) . "</li>\n";
 				}
@@ -2064,27 +2102,27 @@ function create_export_directory_structure(&$export, $root_path, $export_path) {
 	copy("$root_path/include/themes/$theme/images/cacti_logo.svg", "$export_path/images/cacti_logo.svg");
 
 	/* jstree theme files */
-	$files = array('32px.png', '40px.png', 'style.css', 'throbber.gif');
+	$files = ['32px.png', '40px.png', 'style.css', 'throbber.gif'];
 	foreach($files as $file) {
 		copy("$root_path/include/themes/$theme/default/$file", "$export_path/css/default/$file");
 	}
 
 	$directory = "$root_path/include/themes/$theme/images";
-	$directory = array_diff(glob("$directory/*.*"), array("$directory/.", "$directory/.."));
+	$directory = array_diff(glob("$directory/*.*"), ["$directory/.", "$directory/.."]);
 	foreach($directory as $file) {
 		$file = basename($file);
 		copy("$root_path/include/themes/$theme/images/$file", "$export_path/css/images/$file");
 	}
 
 	$directory = "$root_path/include/fa/webfonts";
-	$directory = array_diff(glob("$directory/*.*"), array("$directory/.", "$directory/.."));
+	$directory = array_diff(glob("$directory/*.*"), ["$directory/.", "$directory/.."]);
 	foreach($directory as $file) {
 		$file = basename($file);
 		copy("$root_path/include/fa/webfonts/$file", "$export_path/webfonts/$file");
 	}
 
 	$directory = "$root_path/include/fa/svgs";
-	$directory = array_diff(glob("$directory/*.*"), array("$directory/.", "$directory/.."));
+	$directory = array_diff(glob("$directory/*.*"), ["$directory/.", "$directory/.."]);
 	foreach($directory as $file) {
 		$file = basename($file);
 		copy("$root_path/include/fa/svgs/$file", "$export_path/svgs/$file");
@@ -2094,13 +2132,13 @@ function create_export_directory_structure(&$export, $root_path, $export_path) {
 /* get_host_description - a simple function to return the host description of a host.
    @arg $host_id - the id of the host in question */
 function get_host_description($host_id) {
-	return db_fetch_cell_prepared('SELECT description FROM host WHERE id = ?', array($host_id));
+	return db_fetch_cell_prepared('SELECT description FROM host WHERE id = ?', [$host_id]);
 }
 
 /* get_tree_name - a simple function to return the tree name of a tree.
    @arg $tree_id - the id of the tree in question */
 function get_tree_name($tree_id) {
-	return db_fetch_cell_prepared('SELECT name FROM graph_tree WHERE id = ?', array($tree_id));
+	return db_fetch_cell_prepared('SELECT name FROM graph_tree WHERE id = ?', [$tree_id]);
 }
 
 /* del_directory - delete the directory pointed to by the $path variable.
diff --git a/gexport.php b/gexport.php
index fa23718..50a7fe1 100644
--- a/gexport.php
+++ b/gexport.php
@@ -25,6 +25,7 @@
 chdir('../../');
 include('./include/auth.php');
 include_once('./plugins/gexport/functions.php');
+include_once('./plugins/gexport/gexport_security.php');
 
 $export_actions = array(
 	'1' => __('Delete', 'gexport'),
@@ -148,7 +149,7 @@ function export_form_save() {
 function duplicate_export($_export_id, $export_title) {
 	global $fields_export_edit;
 
-	$export = db_fetch_row_prepared('SELECT * FROM graph_exports WHERE id = ?', array($_export_id));
+	$export = db_fetch_row_prepared('SELECT * FROM graph_exports WHERE id = ?', [$_export_id]);
 
 	/* substitute the title variable */
 	$export['name'] = str_replace('<export_title>', $export['name'], $export_title);
@@ -173,12 +174,14 @@ function duplicate_export($_export_id, $export_title) {
 function export_form_actions() {
 	global $export_actions;
 
+	$bulk_action = gexport_normalize_bulk_action(get_nfilter_request_var('drp_action'));
+
 	/* if we are to save this form, instead of display it */
 	if (isset_request_var('selected_items')) {
 		$selected_items = sanitize_unserialize_selected_items(get_nfilter_request_var('selected_items'));
 
 		if ($selected_items != false) {
-			if (get_nfilter_request_var('drp_action') === '1') { /* delete */
+			if ($bulk_action === '1') { /* delete */
 				/* do a referential integrity check */
 				if (sizeof($selected_items)) {
 					foreach($selected_items as $export_id) {
@@ -193,7 +196,7 @@ function export_form_actions() {
 				if (isset($export_ids)) {
 					db_execute('DELETE FROM graph_exports WHERE ' . array_to_sql_or($export_ids, 'id'));
 				}
-			} elseif (get_nfilter_request_var('drp_action') === '2') { /* enable */
+			} elseif ($bulk_action === '2') { /* enable */
 				for ($i=0;($i<count($selected_items));$i++) {
 					/* ================= input validation ================= */
 					input_validate_input_number($selected_items[$i]);
@@ -201,7 +204,7 @@ function export_form_actions() {
 
 					export_enable($selected_items[$i]);
 				}
-			} elseif (get_nfilter_request_var('drp_action') === '3') { /* disable */
+			} elseif ($bulk_action === '3') { /* disable */
 				for ($i=0;($i<count($selected_items));$i++) {
 					/* ================= input validation ================= */
 					input_validate_input_number($selected_items[$i]);
@@ -209,7 +212,7 @@ function export_form_actions() {
 
 					export_disable($selected_items[$i]);
 				}
-			} elseif (get_nfilter_request_var('drp_action') === '4') { /* run now */
+			} elseif ($bulk_action === '4') { /* run now */
 				for ($i=0;($i<count($selected_items));$i++) {
 					/* ================= input validation ================= */
 					input_validate_input_number($selected_items[$i]);
@@ -239,7 +242,7 @@ function export_form_actions() {
 			input_validate_input_number($matches[1]);
 			/* ==================================================== */
 
-			$export_list .= '<li>' . db_fetch_cell_prepared('SELECT name FROM graph_exports WHERE id = ?', array($matches[1])) . '</li>';
+			$export_list .= '<li>' . db_fetch_cell_prepared('SELECT name FROM graph_exports WHERE id = ?', [$matches[1]]) . '</li>';
 			$export_array[] = $matches[1];
 		}
 	}
@@ -248,10 +251,10 @@ function export_form_actions() {
 
 	form_start('gexport.php', 'export_actions');
 
-	html_start_box($export_actions[get_nfilter_request_var('drp_action')], '60%', '', '3', 'center', '');
+	html_start_box(isset($export_actions[$bulk_action]) ? $export_actions[$bulk_action] : '', '60%', '', '3', 'center', '');
 
 	if (isset($export_array)) {
-		if (get_nfilter_request_var('drp_action') === '1') { /* delete */
+		if ($bulk_action === '1') { /* delete */
 			print "	<tr>
 					<td class='topBoxAlt'>
 						<p>" . __n('Click \'Continue\' to delete the following Graph Export Definition.', 'Click \'Continue\' to delete following Graph Export Definitions.', sizeof($export_array), 'gexport') . "</p>
@@ -261,7 +264,7 @@ function export_form_actions() {
 
 			$save_html = "<button type='button' class='ui-button ui-corner-all ui-widget' onClick='cactiReturnTo()'>" . __esc('Cancel', 'gexport') . "</button>
 				<button type='submit' class='ui-button ui-corner-all ui-widget ui-state-active' title='" . __esc('Delete Graph Export Definition(s)', 'gexport') . "'>" . __esc('Continue', 'gexport') . '</button>';
-		} elseif (get_nfilter_request_var('drp_action') === '2') { /* disable */
+		} elseif ($bulk_action === '2') { /* disable */
 			print "	<tr>
 					<td class='topBoxAlt'>
 						<p>" . __n('Click \'Continue\' to disable the following Graph Export Definition.', 'Click \'Continue\' to disable following Graph Export Definitions.', sizeof($export_array), 'gexport') . "</p>
@@ -271,7 +274,7 @@ function export_form_actions() {
 
 			$save_html = "<button type='button' class='ui-button ui-corner-all ui-widget' onClick='cactiReturnTo()'>" . __esc('Cancel', 'gexport') . "</button>
 				<button type='submit' class='ui-button ui-corner-all ui-widget ui-state-active' title='" . __esc('Disable Graph Export Definition(s)', 'gexport') . "'>" . __esc('Continue', 'gexport') . '</button>';
-		} elseif (get_nfilter_request_var('drp_action') === '3') { /* enable */
+		} elseif ($bulk_action === '3') { /* enable */
 			print "	<tr>
 					<td class='topBoxAlt'>
 						<p>" . __n('Click \'Continue\' to enable the following Graph Export Definition.', 'Click \'Continue\' to enable following Graph Export Definitions.', sizeof($export_array), 'gexport') . "</p>
@@ -281,7 +284,7 @@ function export_form_actions() {
 
 			$save_html = "<button type='button' class='ui-button ui-corner-all ui-widget' onClick='cactiReturnTo()'>" . __esc('Cancel', 'gexport') . "</button>
 				<input type='submit' class='ui-button ui-corner-all ui-widget ui-state-active' title='" . __esc('Enable Graph Export Definition(s)', 'gexport') . "'>" . __esc('Continue', 'gexport') . '</button>';
-		} elseif (get_nfilter_request_var('drp_action') === '4') { /* export now */
+		} elseif ($bulk_action === '4') { /* export now */
 			print "<tr>
 				<td class='topBoxAlt'>
 					<p>" . __n('Click \'Continue\' to run the following Graph Export Definition now.', 'Click \'Continue\' to run following Graph Export Definitions now.', sizeof($export_array)) . "</p>
@@ -301,7 +304,7 @@ function export_form_actions() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($export_array) ? serialize($export_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_nfilter_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape($bulk_action) . "'>
 			$save_html
 		</td>
 	</tr>";
@@ -318,11 +321,11 @@ function export_form_actions() {
    --------------------- */
 
 function export_enable($export_id) {
-	db_execute_prepared('UPDATE graph_exports SET enabled="on" WHERE id = ?', array($export_id));
+	db_execute_prepared('UPDATE graph_exports SET enabled="on" WHERE id = ?', [$export_id]);
 }
 
 function export_disable($export_id) {
-	db_execute_prepared('UPDATE graph_exports SET enabled="" WHERE id = ?', array($export_id));
+	db_execute_prepared('UPDATE graph_exports SET enabled="" WHERE id = ?', [$export_id]);
 }
 
 function export_runnow($export_id) {
@@ -330,7 +333,7 @@ function export_runnow($export_id) {
 
 	include_once('./lib/poller.php');
 
-	$status = db_fetch_row_prepared('SELECT status, enabled FROM graph_exports WHERE id = ?', array($export_id));
+	$status = db_fetch_row_prepared('SELECT status, enabled FROM graph_exports WHERE id = ?', [$export_id]);
 
 	if (($status['status'] == 0 || $status['status'] == 2) && $status['enabled'] == 'on') {
 		$command_string = read_config_option('path_php_binary');
@@ -361,8 +364,8 @@ function export_edit() {
 
 	draw_edit_form(
 		array(
-			'config' => array('no_form_tag' => true),
-			'fields' => inject_form_variables($fields_export_edit, (isset($export) ? $export : array()))
+			'config' => ['no_form_tag' => true],
+			'fields' => inject_form_variables($fields_export_edit, (isset($export) ? $export : []))
 		)
 	);
 
@@ -695,40 +698,40 @@ function gexport() {
 
     /* ================= input validation and session storage ================= */
     $filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-			),
-		'page' => array(
+			],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-			),
-		'refresh' => array(
+			],
+		'refresh' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '20'
-			),
-		'filter' => array(
+			],
+		'filter' => [
 			'filter' => FILTER_DEFAULT,
 			'pageset' => true,
 			'default' => ''
-			),
+			],
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 			)
 	);
 
 	validate_store_request_vars($filters, 'sess_gexport');
 	/* ================= input validation ================= */
 
-	$refresh            = array();
+	$refresh            = [];
 	$refresh['page']    = 'gexport.php?header=false';
 	$refresh['seconds'] = get_request_var('refresh');
 	$refresh['logout']  = 'false';
@@ -738,7 +741,7 @@ function gexport() {
 	export_filter();
 
 	$total_rows = 0;
-	$exports = array();
+	$exports = [];
 
 	if (get_request_var('rows') == '-1') {
 		$rows = read_config_option('num_rows_table');
@@ -821,7 +824,7 @@ function gexport() {
 		)
 	);
 
-	$nav = html_nav_bar('gexport.php?filter=' . get_request_var('filter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, sizeof($display_text) + 1, __('Export Definitions', 'gexport'), 'page', 'main');
+	$nav = html_nav_bar(gexport_build_nav_filter_url(get_request_var('filter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, sizeof($display_text) + 1, __('Export Definitions', 'gexport'), 'page', 'main');
 
 	form_start('gexport.php', 'chk');
 
@@ -837,7 +840,7 @@ function gexport() {
 			$user = db_fetch_cell_prepared('SELECT username
 				FROM user_auth
 				WHERE id = ?',
-				array($export['export_effective_user']));
+				[$export['export_effective_user']]);
 
 			if ($export['export_pid'] > 0 && $export['status'] > 0) {
 				if (function_exists('posix_getpgid')) {
@@ -850,7 +853,7 @@ function gexport() {
 					db_execute_prepared('UPDATE graph_exports
 						SET status=0, export_pid=0, last_error="Killed Outside Cacti", last_errored=NOW()
 						WHERE id = ?',
-						array($export['id']));
+						[$export['id']]);
 				}
 			}
 
@@ -937,4 +940,3 @@ function gexport() {
 
 	form_end();
 }
-
diff --git a/gexport_security.php b/gexport_security.php
new file mode 100644
index 0000000..f318e62
--- /dev/null
+++ b/gexport_security.php
@@ -0,0 +1,28 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+function gexport_normalize_bulk_action($value) {
+	if (is_int($value)) {
+		$action = $value;
+	} elseif (is_string($value) && preg_match('/^[0-9]+$/', $value)) {
+		$action = (int) $value;
+	} else {
+		return '';
+	}
+
+	if ($action < 1 || $action > 4) {
+		return '';
+	}
+
+	return (string) $action;
+}
+
+function gexport_build_nav_filter_url($filter) {
+	return 'gexport.php?filter=' . rawurlencode((string) $filter);
+}
diff --git a/setup.php b/setup.php
index 5a26d25..8505e81 100644
--- a/setup.php
+++ b/setup.php
@@ -71,7 +71,7 @@ function gexport_check_upgrade() {
 	include_once($config['library_path'] . '/functions.php');
 
 	// Let's only run this check if we are on a page that actually needs the data
-	$files = array('plugins.php', 'gexport.php');
+	$files = ['plugins.php', 'gexport.php'];
 	if (!in_array(get_current_page(), $files)) {
 		return;
 	}
@@ -259,13 +259,13 @@ function gexport_config_arrays() {
 	$tmp = sys_get_temp_dir() . DIRECTORY_SEPARATOR;
 
 	if (isset($_SESSION['gexport_message']) && $_SESSION['gexport_message'] != '') {
-		$messages['gexport_message'] = array('message' => $_SESSION['gexport_message'], 'type' => 'info');
+		$messages['gexport_message'] = ['message' => $_SESSION['gexport_message'], 'type' => 'info'];
 	}
 
 	$menu[__('Utilities')]['plugins/gexport/gexport.php'] = __('Graph Exports', 'gexport');
 
 	if (function_exists('auth_augment_roles')) {
-		auth_augment_roles(__('General Administration'), array('gexport.php'));
+		auth_augment_roles(__('General Administration'), ['gexport.php']);
 	}
 
 	$sites = array_rekey(db_fetch_assoc('SELECT "0" AS id, "All Sites" AS name UNION SELECT id, name FROM sites ORDER BY name'), 'id', 'name');
diff --git a/tests/Integration/test_bulk_action_output_security.php b/tests/Integration/test_bulk_action_output_security.php
new file mode 100644
index 0000000..0d2e44b
--- /dev/null
+++ b/tests/Integration/test_bulk_action_output_security.php
@@ -0,0 +1,32 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$path = __DIR__ . '/../../gexport.php';
+$contents = file_get_contents($path);
+
+if ($contents === false) {
+	fwrite(STDERR, "Unable to read gexport.php\n");
+	exit(1);
+}
+
+$checks = array(
+	"include_once('./plugins/gexport/gexport_security.php');",
+	'$bulk_action = gexport_normalize_bulk_action(get_nfilter_request_var(\'drp_action\'));',
+	'html_start_box(isset($export_actions[$bulk_action]) ? $export_actions[$bulk_action] : \'\',',
+	'<input type=\'hidden\' name=\'drp_action\' value=\'" . html_escape($bulk_action) . "\'>',
+);
+
+foreach ($checks as $check) {
+	if (strpos($contents, $check) === false) {
+		fwrite(STDERR, "Missing expected security wiring: {$check}\n");
+		exit(1);
+	}
+}
+
+print "OK\n";
diff --git a/tests/Unit/test_gexport_security_helpers.php b/tests/Unit/test_gexport_security_helpers.php
new file mode 100644
index 0000000..107c4b7
--- /dev/null
+++ b/tests/Unit/test_gexport_security_helpers.php
@@ -0,0 +1,37 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once __DIR__ . '/../../gexport_security.php';
+
+if (gexport_normalize_bulk_action('1') !== '1') {
+	fwrite(STDERR, "Expected action 1 to normalize\n");
+	exit(1);
+}
+
+if (gexport_normalize_bulk_action('4') !== '4') {
+	fwrite(STDERR, "Expected action 4 to normalize\n");
+	exit(1);
+}
+
+if (gexport_normalize_bulk_action('4\" autofocus onfocus=\"alert(1)') !== '') {
+	fwrite(STDERR, "Expected mixed action payload to be rejected\n");
+	exit(1);
+}
+
+if (gexport_normalize_bulk_action('99') !== '') {
+	fwrite(STDERR, "Expected out of range action to be rejected\n");
+	exit(1);
+}
+
+if (gexport_build_nav_filter_url('name=test&refresh=1') !== 'gexport.php?filter=name%3Dtest%26refresh%3D1') {
+	fwrite(STDERR, "Expected filter to be URL encoded\n");
+	exit(1);
+}
+
+print "OK\n";
diff --git a/tests/e2e/test_filter_nav_encoding.php b/tests/e2e/test_filter_nav_encoding.php
new file mode 100644
index 0000000..61bc9db
--- /dev/null
+++ b/tests/e2e/test_filter_nav_encoding.php
@@ -0,0 +1,28 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$path = __DIR__ . '/../../gexport.php';
+$contents = file_get_contents($path);
+
+if ($contents === false) {
+	fwrite(STDERR, "Unable to read gexport.php\n");
+	exit(1);
+}
+
+if (strpos($contents, "html_nav_bar(gexport_build_nav_filter_url(get_request_var('filter'))") === false) {
+	fwrite(STDERR, "Expected nav filter URL builder to be used\n");
+	exit(1);
+}
+
+if (strpos($contents, "html_nav_bar('gexport.php?filter=' . get_request_var('filter')") !== false) {
+	fwrite(STDERR, "Raw filter reuse still present in nav URL\n");
+	exit(1);
+}
+
+print "OK\n";