What are common pitfalls when using $_SERVER['PHP_SELF'] in PHP forms?

Using $_SERVER['PHP_SELF'] in PHP forms can lead to security vulnerabilities such as cross-site scripting (XSS) attacks. To mitigate this risk, it is recommended to use htmlspecialchars() function to sanitize the input before displaying it back to the user.

<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
    <!-- form fields go here -->
</form>