It sounds like you're confusing htmlspecialchars
with urlencode
.
htmlspecialchars
replaces characters with special meaning in HTML with &
-escaped entities. So, for example, '
becomes '
. It doesn't turn %22
into "
, however, because %22
has no special meaning in HTML, so it's safe to display it without modification.
urlencode
replaces characters with special meaning in URLs with hexadecimal character codes using %
. So, for example, "
becomes %22
.
If you want a form to be handled by the same URL that is used to display it, always use action=""
rather than action=<?=$_SERVER['PHP_SELF']?>
or action=<?=$_SERVER['REQUEST_URI']?>
. As you've already figured out, there are serious risks of cross-site scripting (XSS) if you use either of the $_SERVER
variables, because they contain user input and therefore cannot be trusted. So, unless you have a good reason that you need to tweak the URL somehow, just use action=""
.