How to protect against this type of attack?

Be carefull with the use of $_SERVER['PHP_SELF]

You should do htmlspecialchars($_SERVER["PHP_SELF"]); or htmlentities($_SERVER["PHP_SELF"]);

And that's a normal XSS attack.

More info: Info

I was using $_SERVER['PHP_SELF'] in an href tag, so that's where the JavaScript was triggered.

The solution is simple. I run PHP_SELF through a filter before using, and any passed garbage is cleaned and safe to use on the page.