Reflected XSS in form action – understanding

I am trying to learn basics of web security vulnerabilities.

I have found a website, where on reset password, you get a link in the email with a token, and when you click this link, the webpage opens and the url is reflected in a form action. Something like this:

password reset url:

and this is how it is reflected:

<form action="" method="post"> 

Based on this, i am trying to figure out if this can lead to reflected XSS. So in the url i tried something like this:"/><script>alert(document.cookie)</script> 

so that the form tag is closed, and a script is inserted inside the form.

This reflects in the form action, but with url encoded, so quotes are turned to %22 and angular brackets to %3E.

Does this mean that reflected xss can’t be achieved here? is the browser encoding this , or the web page itself must be encoding this ? is there a way to bypass to see if there is a vulnerability?