The danger of PHP_SELF
The $_SERVER['PHP_SELF'] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.
Here you see a normal login form with the form container above.
It’s possible to break the form with login.php/”<h1>XSS</h1> in the URL.
This method is called Cross Site Scripting (XSS) and is often used for phishing.
Every PHP_SELF should be converted to HTML entities, with a function like htmlentities.