I have a question about XSS Can forms be used as a vector for

Question

0

Editorial Team

Asked: May 15, 20262026-05-15T06:15:02+00:00 2026-05-15T06:15:02+00:00

I have a question about XSS Can forms be used as a vector for

0

I have a question about XSS

Can forms be used as a vector for XSS even if the data is not stored in the database and used at a later point?

i.e. in php the code would be this:

<form input="text" value="<?= @$_POST['my_field'] ?>" name='my_field'>

Showing an alert box (demonstrate that JS can be run) on your own browser is trivial with the code above. But is this exploitable across browsers as well?
The only scenario I see is where you trick someone into visiting a certain page, i.e. a combination of CSRF and XSS.

“Stored in a database and used at a later point”: the scenario I understand about CSS is where you’re able to post data to a site that runs JavaScript and is shown on a page in a browser that has greater/different privileges than your own.
But, to be clear, this is not wat I’m talking about above.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-15T06:15:03+00:00

Editorial Team

2026-05-15T06:15:03+00:00Added an answer on May 15, 2026 at 6:15 am

Yes, it’s still an attack vector.

What you need to consider is:

Can an authenticated user be tricked into viewing this page with maliciously-crafted data?

The answer is this case is yes (assuming you have authenticated users). Because it’s possible to direct someone to your site and pass in malicious variables to that field.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a question about XSS Can forms be used as a vector for

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply