PHP_SELF opens up a page to XSS attacks when code such as echo $_SERVER['PHP_SELF'] is included, but what about SCRIPT_NAME? Since it does not include path info, is this safe to use? I know you can use htmlentities and other similar functions to sanitize but I’d rather avoid the extra function call.
I’m quite sure that it would be safe to use but I’d like the reassurance of the SO community 
As good practice, you should always protect against any variables from $_SERVER, $_GET, $_POST etc.
$str = filter_var($input, FILTER_SANITIZE_STRING);A simple way to sanitize a string, or you can use htmlentities. I create a class that I use when returning any variables from $_SERVER, $_GET and $_POST.