This is just a simple and harmless example how the PHP_SELF variable can be exploited.Be aware of that any Java Script code can be added inside the - this would not be executed, because it would be saved as HTML escaped code, like this: <script>location.href(' The code is now safe to be displayed on a page or inside an e-mail.The HTML form we will be working at in these chapters, contains various input fields: required and optional text fields, radio buttons, and a submit button: The validation rules for the form above are as follows: This code adds a script tag and an alert command.

For details see Using Java Script in Page Flow and Portal Applications.

Finally, the ", the form will always be submitted and no data will be posted to the form bean.

To include the Activiti jar and its dependent libraries, we advise using Maven (or Ivy), as it simplifies dependency management on both our and your side a lot.

Follow the instructions at to include the necessary jars in your environment.

If it has not been submitted, skip the validation and display a blank form.

However, in the example above, all input fields are optional.To disable the demo setup fully you can set all of these properties to false.But as you can see you can also enable and disable items individually. These pages will show how to process PHP forms with security in mind.Proper validation of form data is important to protect your form from hackers and spammers!Or you could very well choose to run Activiti as a typical, standalone BPM server.