Is $_SERVER['QUERY_STRING'] safe from XSS?

Question

I need to construct a form who\'s action takes you back to the exact same page - GET parameters included. I\'m thinking I can say something to the effect of:

Answer 1

First of all, you can not trust $_SERVER['PHP_SELF'] (1) - use $_SERVER['SCRIPT_NAME'] instead.

As for $_SERVER['QUERY_STRING'], you should treat it as any other user input. Filter it before using it in your output. I would not recommend some sort of a general filter in this case. It would be better to reassemble the query string from specific pieces you expect to be there.