How to sanitize $_SERVER url variables?

How to sanitize $_SERVER url variables?

An attacker used the HTTP_REFERER variable to inject Javascript by sending the following in the Header:

Referer:
javascript:alert(document.cookie)//a

This was present in $_SERVER['HTTP_REFERER'] and was evaluated in a "Back" button.

Besides the sanitation that I'll do in the back button, I want to sanitize $_SERVER variables in PHP in order to prevent future attacks.

Because I'm expecting a URL value for 'HTTP_REFERER' I tried this:

$_SERVER['HTTP_REFERER'] = filter_var($_SERVER['HTTP_REFERER'], FILTER_SANITIZE_STRING);

But the value wasn't changed. Same thing for this:

 $_SERVER['HTTP_REFERER'] = filter_var($_SERVER['HTTP_REFERER'], FILTER_SANITIZE_URL, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);

And this:

$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER'])

What's the best way to sanitize the following: 'HTTP_REFERER', 'PHP_SELF', 'REQUEST_URI' ?