Possible Duplicate:
PHP_SELF and XSS
Why it's necessary to filter $_SERVER['PHP_SELF'], from e.g.:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<!-- form contents -->
</form>
to:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>">
<!-- form contents -->
</form>
in order to make it XSS-attack proof?
and:
How can attacker reach end users other than himself using the "vulnerability" of the first form?