This is just a simple and harmless example how the PHP_SELF variable can be exploited.
Be aware of that any Java Script code can be added inside the - this would not be executed, because it would be saved as HTML escaped code, like this: <script>location.href(' The code is now safe to be displayed on a page or inside an e-mail.
And in some cases, we can make forms that people might even filling out.
Information available prior to submission can come in three forms: Labels: These should quickly describe what information should be entered into an input field—this could be their username, password, email, etc.
Required or optional information: an input field should be denoted as required or optional, usually by an asterisk (*) or any cues or text-based hints that tell the form user they can’t leave a field blank.
Here setting validate All Properties = true is the important part.
If it is false then it will perform only the first default validation 'Required' and it will not check other Validation for the properties like 'Regularexpression', 'Range', etc.
You could ask for some help in the issue queue with regards to your exact regular expression.