Since $_SERVER['REQUEST_URI']
contains the unchanged URI as it appeared in the request line, the characters that can get passed depend on what characters are allowed in a URI path, more precisely in a path segment:
segment = *pchar pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
Where pct-encoded is a percent-encoded octet, and unreserved as well as sub-delims are defined as follows:
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
These allowed characters are not sufficient for a Cross-Site Scripting attack when the injection occurs in the content of an HTML element like in your case a <h1>…</h1>
. You would at least need a <
to be able to create a start-tag.
However, if you would decode the percent-encoded octets, any character could be passed.