PHP_SELF and SCRIPT_NAME - XSS attacks edition

PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER['PHP_SELF'] is included, but what about SCRIPT_NAME? Since it does not include path info, is this safe to use? I know you can use htmlentities and other similar functions to sanitize but I'd rather avoid the extra function call.

I'm quite sure that it would be safe to use but I'd like the reassuranc开发者_如何学JAVAe of the SO community :)

As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc.

$str = filter_var($input, FILTER_SANITIZE_STRING);

A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.