Looking at an old code of a client, he's using

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" />

I was wondering if it was subject to XSS, but when I try :

• form.php"><script>alert('xss');</script> => 404 NOT FOUND from Apache
• form.php/"><script>alert('xss');</script> => 404 From my app

I must specify that I also use ?action=specific_page in the url for its normal use.

Does that mean no XSS is possible using PHP_SELF or does that mean I'm trying it the wrong way?

If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

If it doesn't do anything, your configuration prevents this, at least for this specific file.

(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)