如果您的表单位于 form.php 脚本中，请尝试使用浏览器中的 url 访问它，例如 http://yoursite.com/form.php/"><script>alert('XSS')</script> 看看它是否容易被注入.

If your form is at form.php script, try accessing it with an url in the browser like http://yoursite.com/form.php/"><script>alert('XSS')</script> to see if it is vulnerable to injection.

如果它没有做任何事情，您的配置会阻止这种情况，至少对于这个特定文件.

If it doesn't do anything, your configuration prevents this, at least for this specific file.

(当然，你应该使用类似 htmlspecialchars($_SERVER['SCRIPT_NAME']) 的东西.)

(Of course, you should use something like htmlspecialchars($_SERVER['SCRIPT_NAME']) anyway.)