Hi,
I'm new to PHP and I was wondering if it's perfectly safe to use $_SERVER['PHP_SELF'] like so:
<body<?php if(basename($_SERVER['PHP_SELF']) == 'home.php') echo ' class="home"'; ?>>
…
</body>
As far as I understand, the $_SERVER['PHP_SELF'] variable can only be exploited when used as a link or in a form/inputs, where the variable should be wrapped into htmlspecialchars() to counter XSS attacks, am I right?