Fix 0013191: Prevent further XSS issues relating to PHP_SELF

Silvia Alvarez (Debian package manager for MantisBT) has performed
additional testing of patch d00745f5e267eba4ca34286d125de685bc3a8034
and discovered that the XSS problems surrounding the use of
$_SERVER['PHP_SELF'] have not been fully fixed.

The form_action_self() function also used $_SERVER['PHP_SELF']
(retrieving the basename() component of the file name). Callees of this
function did not escape this file name prior to printing it in the
'action' attribute of <form> elements.

This patch swaps out PHP_SELF for SCRIPT_NAME (much safer as end users
have no control over the value) and also applies escaping to the
'action' attribute of relevant <form> elements.

Refer to Debian bug report #640297 [1] and dicussion on the mantisbt-dev
mailing list for further details.

Thank you Sils for the detailed analysis of the problem, detailed
report, proposed solutions and extensive testing of patches for the
latest round of vulnerabilities discovered.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297