PHP_SELF and XSS [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicate:

PHP_SELF and XSS

Why it's necessary to filter $_SERVER['PHP_SELF'], from e.g.:

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <!-- form contents -->
</form>

to:  

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>">
  <!-- form contents -->
</form>  

in order to make it XSS-attack proof?

and:

How can attacker reach end users other 开发者_C百科than himself using the "vulnerability" of the first form?

---

How can attacker reach end users other than himself using the "vulnerability" of the first form?

The attacker can link to your site from a site he controls or an email he sends.

---

If you’re using AcceptPathInfo or something similar such that a URI like /index.php/foo/bar is directed to /index.php, requesting /index.php/%22%E3E… can get your following data outside the form tag.

And as for the second question: click here.