Junitar 3 Posted March 24, 2017 Report Share Posted March 24, 2017 (edited) Hi, I'm new to PHP and I was wondering if it's perfectly safe to use $_SERVER['PHP_SELF'] like so: <body<?php if(basename($_SERVER['PHP_SELF']) == 'home.php') echo ' class="home"'; ?>> … </body> As far as I understand, the $_SERVER['PHP_SELF'] variable can only be exploited when used as a link or in a form/inputs, where the variable should be wrapped into htmlspecialchars() to counter XSS attacks, am I right? Edited March 24, 2017 by Junitar Quote Link to post Share on other sites
Ingolme 1,020 Posted March 24, 2017 Report Share Posted March 24, 2017 There's no security issue there because the only thing that can be "hacked" is whether the body element has a class attribute or not. Quote Link to post Share on other sites
Junitar 3 Posted March 24, 2017 Author Report Share Posted March 24, 2017 (edited) Thank you to confirm my thoughts. I had a doubt after I stumbled upon an old thread on stackoverflow where a guy implied this kind of code was possibly flawed. Edited March 24, 2017 by Junitar Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.