I am just learning about escaping things and started reading about how it could be risky to use $_SERVER['HTTP_HOST']
due to XSS attacks.
I came up with this and was wondering if I could get some feedback on my attempt.
htmlspecialchars(
filter_var( $_SERVER[ 'HTTP_HOST' ], FILTER_SANITIZE_URL ),
ENT_QUOTES, 'UTF-8'
)
Does it look okay?
So much depends on this one variable being secure, I just had to ask for input.
EDIT:
I will be using this for display throughout the site, including basic anchor-hrefs, form-actions, etc.