XSS attack vulnerability

Hey Menuel,

I would like to thank you for such a solid class that you provide for us.

This is a quote from your documentation for this class.

[[Quote]]One simple way to define the ACTION property to make the form be handled by the same script is to set it with the value of the PHP global variable $PHP_SELF.[[UnQuote]]

If followed, is it not vulnerable to cross-site scripting attack as mentioned in:

blog.phpdoc.info/archives/13-XSS-Wo ...

Thank you.

There is no security problem using $PHP_SELF with the forms class because it correctly encodes the ACTION attribute. Even if somebody tries to spoof a malicious value into $PHP_SELF, the forms class uses HTMLSpecialChars or HtmlEntities to encode the ACTION value, and so any CSS attack attempt does not have any harmful effect.

Anyway, I am glad you brought that quote of the documentation to my attention. I was written in the days when register_globals was on by default, so $PHP_SELF is often not set in many PHP installations.

Other than that, there is a much simpler way to make the form be submitted to the same script, which is by setting the ACTION to an empty string, or to ? in case you want to get rid of any GET request parameters passed in the script URL. I have now updated the documentation to explain that.