Security Checklist for PHP website - Input from $_GET, $_POST, $_COOKIE, and $_REQUEST is considered tainted.

http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/

Common example:

<form action="php echo $_SERVER['PHP_SELF']; ?>">

Another example:

<a href="php echo $_SERVER['PHP_SELF']' ?>?foo=bar">link titlea>

Here are my two rules regarding $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] in forms:

• Do not use them
• If you use one of them, escape it with esc_url()