What potential issue can arise when using the PHP_SELF variable in a form action?

When using the PHP_SELF variable in a form action, there is a potential security vulnerability known as cross-site scripting (XSS). This vulnerability allows an attacker to inject malicious code into your website, potentially compromising user data or executing harmful actions. To prevent this issue, it is recommended to use htmlspecialchars() function to sanitize the PHP_SELF variable before using it in the form action.

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
  <!-- Form fields go here -->
</form>