[development] filtering PHP_SELF

[David Caylor]

bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can 
tell without filtering.  This isn't safe.  Is this getting filtered 
somewhere or somehow that I'm missing?

If it isn't getting filtered elsewhere, adding htmlentities to these two 
functions would be an inelegant but sufficient (for security purposes) 
fix.

See here for a discussion about not trusting PHP_SELF:
http://blog.phpdoc.info/archives/13-guid.html