To make it safe to use you need to use htmlspecialchars().
<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>
See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER["PHP_SELF"] can be attacked.
More Related Contents:
- How to prevent injection when user is supplying an arbitrary URL parameter?
- xss attack on a php page
- How can I sanitize user input with PHP?
- How to prevent XSS with HTML/PHP?
- What are the best practices for avoiding xss attacks in a PHP site [closed]
- The ultimate clean/secure function
- Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
- Best way to defend against mysql injection and cross site scripting
- How can I properly escape HTML form input default values in PHP?
- CodeIgniter – why use xss_clean
- How do you set up use HttpOnly cookies in PHP
- Prevent XSS with strip_tags()?
- XSS filtering function in PHP
- htmlspecialchars vs htmlentities when concerned with XSS
- Protection against XSS exploits?
- Error with simple print_r() code [closed]
- How to turn associative array into separate variables? [closed]
- How to saveHTML of DOMDocument without HTML wrapper?
- How to get the real URL after file_get_contents if redirection happens?
- How to check if a row exist in the database using PDO?
- Serve image with PHP script vs direct loading an image
- Doing a while / loop to get 10 random results
- CodeIgniter activerecord, retrieve last insert id?
- How to reverse a Unicode string
- PHP on GoDaddy Linux Shared trying to send through GMAIL SMTP
- php SimpleXML check if a child exists
- Could not open input file: composer.phar
- How can I generate a HmacSHA256 signature of a string
- Delivery reports and read receipts in PHP mail
- SQLSTATE[HY000] [1698] Access denied for user ‘root’@’localhost’