I can see how this might be convenient. A form displayed by a PHP script wants to use that same PHP script to handle the form submission -- perhaps the form is hosted on a system with some fancy mod_rewrite rules so it's easier just to use $_SERVER['REQUEST_URI'].
This is a problem though. I'm not the XSS master, but expect it would be possible to formulate a URL that looks like a nice url on your site but which could transmit sensitive data to other entities. Do not use $_SERVER['REQUEST_URI'] to specify a form action. In fact, I wonder if it's safe to use R_SERVER['REQUEST_URI'] in your HTML output at all. REQUEST_URI is the url used by a remote user to access your page. Once they've entered enough data in the url to request a particular page, the rest of the URL is entirely up to them and if you are inserting this into your HTML, that presents an opportunity for a malicious hacker to create urls that might trick visitors.
For instance, if your site has a page "index.php":
http://example.com/index.php
and that page has something like this in its PHP code:
<div>Your request URI is <? echo $_SERVER['REQUEST_URI'] ?></div>
then someone might post a link in an email that links to your site but redirects to their evil site:
http://example.com?%3CSCRIPT+TYPE%3D%22text%2Fjavascript%22%3Edocument.location%3D%22http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoHg5SJYRHA0%22%3B%3C%2Fscript%3E
That url doesn't work on my browser, but the idea is that it might allow a sneaky hacker to run a script or dictate where your form submits and it could result in sensitive info being sent to a remote location.
You should specify a url for your form action that does not contain user input. If it must contain user input, you should validate/sanitize it carefully -- especially if the form submission contains sensitive information.
