Using $_SERVER['PHP_SELF']; vs htmlentities($_SERVER['PHP_SELF']); for canonical link on https

Question

Was told by IT admin that their security scan of a newly acquired website makes use of the following shared snippet below which is used in the head portion on a website and opens up many vulnerabilities and should be changed to use htmlentities instead.

I came across this thread which provided some insight however in this use case I am not so sure the vulnerability exists or is even within the realm of feasability, not to say it's not possible due to the server being on https?

Is this the safest way to handle a form PHP

If it's on https, should that not negate any vulnerability potential?

Original

<link rel="canonical" href="https://www.ourwebsite.com<?php echo echo $_SERVER['PHP_SELF']; ?>" />

New

<link rel="canonical" href="https://www.ourwebsite.com<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" />

Answer 1

The problem: The user can control the content of $_SERVER['PHP_SELF']

Let say your code is in index.php

So when you call https://www.yourserver.com/index.php your code will worked as expacted. But index.php will also called when someone will call

http://localhost/phpinfo.php/%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr

The part /%22/%3E%3Cscript%3Ealert('Hello');%3C/script%3E%3Cbr is called PATHINFO

When you try it, you will see that some javascript will also executed.

Some evil user can generate such a link with any javascript in it and send it by email to his victim in the hope he will click on it, his javascript will be execute on the victim browser. So may be he can steal the session id from that user and capture his session