Preventing data injection with htmlspecialchars() function

Question

Many documents recommend to use htmlspecialchars() to get rid of data injection during form submitting. form-validation.

With html5 (i guess) not using action attribute of form, makes the similar effect with using $_SERVER["PHP_SELF"]. Does actionless forms create the same security leak as well?

Answer 1

No. If you make actionless form, you don't use $_SERVER["PHP_SELF"], so its safe.