diff --git a/Controller/Adminhtml/Riskified/Masssend.php b/Controller/Adminhtml/Riskified/Masssend.php
index 8ac92c4..7b55753 100755
--- a/Controller/Adminhtml/Riskified/Masssend.php
+++ b/Controller/Adminhtml/Riskified/Masssend.php
@@ -6,6 +6,8 @@
 
 class Masssend extends \Magento\Backend\App\Action
 {
+    public const ADMIN_RESOURCE = 'Magento_Sales::sales_order';
+
     /**
      * @var OrderApi
      */
diff --git a/Controller/Adminhtml/Riskified/Send.php b/Controller/Adminhtml/Riskified/Send.php
index c8169a9..d83f52c 100755
--- a/Controller/Adminhtml/Riskified/Send.php
+++ b/Controller/Adminhtml/Riskified/Send.php
@@ -6,6 +6,8 @@
 
 class Send extends \Magento\Backend\App\Action
 {
+    public const ADMIN_RESOURCE = 'Magento_Sales::sales_order';
+
     /**
      * @var OrderApi
      */
diff --git a/Model/Observer/UpdateOrderState.php b/Model/Observer/UpdateOrderState.php
index 08a8faa..94e7dbd 100644
--- a/Model/Observer/UpdateOrderState.php
+++ b/Model/Observer/UpdateOrderState.php
@@ -254,7 +254,11 @@ private function saveStatusBeforeHold($newState, $order)
                         \Magento\Framework\App\ResourceConnection::DEFAULT_CONNECTION
                     );
                     $tableOrderStatuses = $connection->getTableName('sales_order_status_state');
-                    $result = $connection->fetchRow('SELECT state FROM `' . $tableOrderStatuses . '` WHERE status="' . $status . '"');
+
+                    $result = $connection->fetchRow(
+                        'SELECT state FROM `' . $tableOrderStatuses . '` WHERE status = ?',
+                        [$status]
+                    );
                     $state = $result['state'];
 
                     $order->setHoldBeforeState($state);
diff --git a/view/frontend/templates/riskified_js.phtml b/view/frontend/templates/riskified_js.phtml
index c424661..5d5dfbf 100755
--- a/view/frontend/templates/riskified_js.phtml
+++ b/view/frontend/templates/riskified_js.phtml
@@ -1,8 +1,14 @@
-<?php if ($block->isEnabled()) : ?>
+<?php
+/**
+ * @var \Riskified\Decider\Block\Js $block
+ * @var \Magento\Framework\Escaper $escaper
+ */
+?>
+<?php if ($block->isEnabled()): ?>
     <script type="text/javascript">
         function riskifiedBeaconLoad() {
             jQuery.ajax(
-                "<?php echo $block->getUrl("decider/response/session"); ?>", {
+                "<?= $escaper->escapeUrl($block->getUrl('decider/response/session')); ?>", {
                     success : function(response) {
                         var session_id = response.session_id;
 
@@ -10,11 +16,11 @@
                             return false;
                         }
 
-                        var store_domain = "<?php echo $block->getShopDomain() ?>";
-                        var version = "<?php echo $block->getExtensionVersion() ?>";
+                        var store_domain = "<?= $escaper->escapeJs($block->getShopDomain()) ?>";
+                        var version = "<?= $escaper->escapeJs($block->getExtensionVersion()) ?>";
 
                         var url = ('https:' == document.location.protocol ? 'https://' : 'http://')
-                            + "<?php echo $block->getConfigBeaconUrl()?>?shop=" + store_domain
+                            + "<?= $escaper->escapeUrl($block->getConfigBeaconUrl()) ?>?shop=" + store_domain
                             + "&sid=" + session_id
                             + "&v=" + version;
 
@@ -35,4 +41,4 @@
             window.addEventListener('load', riskifiedBeaconLoad, false);
         }
     </script>
-<?php endif; ?>
\ No newline at end of file
+<?php endif; ?>
