Article:
  Autofilled PHP Forms
Subject:   Cross-site-scripting (XSS) security hole...
Date:   2006-03-25 04:58:32
From:   GavinAndresen
There's a security hole in the short example: $_SERVER['PHP_SELF'] should be htmlspecialchars($_SERVER['PHP_SELF']) to prevent cross-site-scripting attackes.


I've updated the examples in the .zip file. A good description of the attack can be found at:
http://blog.phpdoc.info/archives/13-XSS-Woes.html