The best thing you can do is leave out the action attribute altogether. If you leave it out, the form will be submitted to the document's address, i.e. the same page.

你能做的最好的事情就是完全忽略 action 属性。如果您省略它，表格将被提交到文件的地址，即同一页面。

It is also possible to leave it empty, and any browser implementing HTML's form submission algorithmwill treat it as equivalent to the document's address, which it does mainly because that's how browsers currently work:

也可以将其留空，任何实现HTML 表单提交算法的浏览器都会将其视为等同于文档地址，这样做主要是因为浏览器目前是这样工作的：

8.Let action be the submitter element's action.

9.If action is the empty string, let action be the document's address.

Note: This step is a willful violationof RFC 3986, which would require base URL processing here. This violation is motivated by a desire for compatibility with legacy content. [RFC3986]

8.让 action 成为提交者元素的action。

9.如果 action 是空字符串，则让 action 为文档的地址。

注意：此步骤故意违反RFC 3986，此处需要处理基本 URL。这种违反的动机是希望与遗留内容兼容。[RFC3986]

This definitely works in all current browsers, but may not work as expected in some older browsers ("browsers do weird things with an empty action="" attribute"), which is why the spec strongly discourages authors from leaving it empty:

这绝对适用于所有当前浏览器，但在某些旧浏览器中可能无法按预期工作（“浏览器使用空操作 =“”属性做奇怪的事情”），这就是规范强烈建议作者不要将其留空的原因：

The actionand formactioncontent attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces.

在action与formaction内容属性，如果指定，必须有一个值是一个有效的非空URL用空格潜在的包围。

Actually, the Form Submission subsectionof the current HTML5 draft does not allow action="". It is against the spec.

实际上，当前 HTML5 草案的表单提交小节不允许action="". 这是违反规范的。

The actionand formactioncontent attributes, if specified, must have a value that is a valid non-emptyURL potentially surrounded by spaces. (emphasis added)

在action与formaction内容属性，如果指定，必须有一个值是一个有效的非空URL用空格潜在的包围。（强调）

The quoted section in mercator's answeris a requirement on implementations, not authors. Authors must follow the author requirements. To quote How to read this specification:

墨卡托回答中引用的部分是对实现的要求，而不是对作者的要求。作者必须遵守作者要求。引用如何阅读本规范：

In particular, there are conformance requirements that apply to producers, for example authors and the documents they create, and there are conformance requirements that apply to consumers, for example Web browsers. They can be distinguished by what they are requiring: a requirement on a producer states what is allowed, while a requirement on a consumer states how software is to act.

特别是，存在适用于生产者（例如作者及其创建的文档）的一致性要求，以及适用于消费者（例如 Web 浏览器）的一致性要求。它们可以通过它们的要求来区分：对生产者的要求说明了允许的内容，而对消费者的要求说明了软件将如何运行。

The change from HTML4—which did allow an empty URL—was made because “browsers do weird things with an empty action=""attribute”. Considering the reason for the change, its probably best not to do that in HTML4 either.

对 HTML4 的更改（确实允许空 URL）是因为“浏览器会用空action=""属性做奇怪的事情”。考虑到更改的原因，最好也不要在 HTML4 中这样做。

Not including the action attribute opens the page up to iframe clickHymaningattacks, which involve a few simple steps:

不包括 action 属性会打开页面以进行iframe 点击劫持攻击，这涉及几个简单的步骤：

• An attacker wraps your page in an iframe
• The iframe URL includes a query param with the same name as a form field
• When the form is submitted, the query value is inserted into the database
• The user's identifying information (email, address, etc) has been compromised

• 攻击者将您的页面包装在 iframe 中
• iframe URL 包含一个与表单字段同名的查询参数
• 表单提交时，查询值插入到数据库中
• 用户的识别信息（电子邮件、地址等）已被泄露

References

参考

• Bypassing CSRF protections with ClickHymaning and HTTP Parameter Pollution

• 使用 ClickHymaning 和 HTTP 参数污染绕过 CSRF 保护

This will validate with HTML5.

这将使用 HTML5 进行验证。

<form action="#">

IN HTML 5 action=""IS NOT SUPPORTED SO DON'T DO THIS. BAD PRACTICE.

action=""不支持HTML 5，所以不要这样做。不好的做法。

If instead you completely negate action altogether it will submit to the same page by default, I believe this is the best practice:

相反，如果您完全否定操作，默认情况下它将提交到同一页面，我相信这是最佳实践：

<form>This will submit to the current page</form>

If you are sumbitting the form using php you may want to consider the following. read more about it here.

如果您使用 php 对表单进行汇总，您可能需要考虑以下内容。在此处阅读更多相关信息。

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

Alternatively you could use #bear in mind though that this will act like an anchor and scroll to the top of the page.

或者，您可以使用#记住，尽管这将像一个锚点并滚动到页面顶部。

<form action="#">

I think it's best to explicitlystate where the form posts. If you want to be totally safe, enter the same URL the form is on in the action attribute if you want it to submit back to itself. Although mainstream browsers evaluate ""to the same page, you can't guarantee that non-mainstream browsers will.

我认为最好明确说明表单发布的位置。如果您想完全安全，请在操作属性中输入表单所在的相同 URL，如果您希望表单提交回自身。虽然主流浏览器对""同一个页面进行评估，但你不能保证非主流浏览器也会。

And of course, the entire URL including GET data like Juddling points out.

当然，包括像 Juddling 这样的 GET 数据在内的整个 URL 都指出了。

I normally use action="", which is XHTML valid and retains the GET data in the URL.

我通常使用 action=""，它是 XHTML 有效的并且在 URL 中保留 GET 数据。

Just use

只需使用

?

?

<form action="?" method="post" enctype="multipart/form-data" name="myForm" id="myForm">

It doesn't violate HTML5 standards.

它不违反 HTML5 标准。

I used to do this a lot when I worked with Classic ASP. Usually I used it when server-side validation was needed of some sort for the input (before the days of AJAX). The main draw back I see is that it doesn't separate programming logic from the presentation, at the file level.

我在使用 Classic ASP 时经常这样做。通常我在需要对输入进行某种类型的服务器端验证时使用它（在 AJAX 时代之前）。我看到的主要缺点是它没有在文件级别将编程逻辑与演示文稿分开。

I use to do not specify action attribute at all. It is actually how my framework is designed all pages get submitted back exact to same address. But today I discovered problem. Sometimes I borrow action attribute value to make some background call (I guess some people name them AJAX). So I found that IE keeps action attribute value as empty if action attribute wasn't specified. It is a bit odd in my understanding, since if no action attribute specified, the JavaScript counterpart has to be at least undefined. Anyway, my point is before you choose best practice you need to understand more context, like will you use the attribute in JavaScript or not.

我过去根本不指定 action 属性。这实际上是我的框架的设计方式，所有页面都被准确地提交回相同的地址。但是今天我发现了问题。有时我会借用 action 属性值来进行一些后台调用（我猜有些人将它们命名为 AJAX）。所以我发现如果没有指定 action 属性，IE 会将 action 属性值保留为空。我的理解有点奇怪，因为如果没有指定 action 属性，那么 JavaScript 对应项至少必须是未定义的。无论如何，我的观点是在您选择最佳实践之前，您需要了解更多上下文，例如您是否会在 JavaScript 中使用该属性。