To make it safe to use you need to use htmlspecialchars().

为了安全使用，您需要使用htmlspecialchars().

<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8"); ?>

See A XSS Vulnerability in Almost Every PHP Form I've Ever Writtenfor how $_SERVER["PHP_SELF"]can be attacked.

请参阅我写过的几乎所有 PHP 表单中的 XSS 漏洞以了解如何$_SERVER["PHP_SELF"]受到攻击。

It is indeed a XSS vulnerability. I do understand that you believe it may not harm your website, but this doesn't mean it is not real.

这确实是一个XSS漏洞。我知道您认为它可能不会损害您的网站，但这并不意味着它不是真实的。

If you do not believe it, try the following:

如果您不相信，请尝试以下操作：

We assume you have a page such as "registration.php". We assume you have a form where action is:

我们假设您有一个页面，例如“registration.php”。我们假设您有一个表单，其中的 action 是：

<?php echo $_SERVER['PHP_SELF']; ?>

as you put it down indeed:

正如你确实放下它：

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <!-- form contents -->
</form>

Now simply append the string below

现在只需附加下面的字符串

%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E

It is not actually hard to understand, because PHP_SELF is a reflection of the URL, your application will read whatever you put in the URL and echo it. It is simple as that.

其实并不难理解，因为 PHP_SELF 是 URL 的反映，你的应用程序会读取你在 URL 中输入的任何内容并回显它。就这么简单。

htmlspecialchars should take care of the matter, no reason to dispute the evidence.

htmlspecialchars 应该处理这件事，没有理由对证据提出异议。

<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
   <!-- form contents -->
</form>

However, even this is a first step in stealing a cookie, it's not that it take place automatically. Even if it's quite easy to craft the attack (as the attacker will register on your site and will see how the cookie looks...etc.), a series of other factors must be true to get to the point of having a cookie stealing situation. For instance, the cookie must not be expired. Than it depends of how complex the cookie is. Than maybe you have other precautions in placed on server, it doesn't have to be all authentication based on the presence of cookie!

然而，即使这是窃取 cookie 的第一步，它也不是自动发生的。即使发起攻击很容易（因为攻击者会在您的网站上注册并查看 cookie 的外观……等等），但必须满足一系列其他因素才能窃取 cookie情况。例如，cookie 不能过期。这取决于cookie的复杂程度。也许您在服务器上采取了其他预防措施，但不必完全基于 cookie 的存在进行身份验证！

While I do believe it is rather difficult and really bad programming for all conditions to met (even if yahoo.mail for example had such a vulnerability and if you look on internet you will find even the exploit and the cookie decoder), the XSS is real and who knows what a crafty attacker may do if your site suffer of it. The cure is simple...

虽然我确实相信要满足所有条件是相当困难和非常糟糕的编程（即使 yahoo.mail 有这样的漏洞，如果你在互联网上查看你甚至会发现漏洞和 cookie 解码器），XSS 是真实的，如果您的网站遭受攻击，谁知道狡猾的攻击者可能会做什么。治疗方法很简单...

The very article you linked gives you:

您链接的文章为您提供：

http://www.example.com/form.php/%22%3E%3Cscript%3Ealert(‘xss attack')%3C/script%3E%3Cbr%20class=%22irrelevant

what's not clear?

什么不清楚？

Edit: this is an XSS attack because I can hide a link from my site to yours with some JS added to the URL which sends me your cookies so the moment you click that link, you are pwnd.

编辑：这是一个 XSS 攻击，因为我可以隐藏从我的站点到你的站点的链接，并在 URL 中添加一些 JS，该 URL 向我发送您的 cookie，因此当您单击该链接时，您就是密码。

You should be using filter_input()to access superglobals in PHP. If you set the filter to FILTER_SANITIZE_FULL_SPECIAL_CHARSit will strip the unsafe characters typically used in XSS. Given your example:

您应该使用filter_input()来访问 PHP 中的超全局变量。如果您将过滤器设置为FILTER_SANITIZE_FULL_SPECIAL_CHARS，它将去除XSS 中通常使用的不安全字符。鉴于你的例子：

<form method="post" 
    action="<?php filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_FULL_SPECIAL_CHARS); ?>">
<!-- form contents -->
</form>