#171606 by Heine: ported security fix from Drupal 4.7/5; use SCRIPT_NAME instead of PHP_SELF in links to avoid XSS holes