[forms] Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")

Not including the action attribute opens the page up to iframe clickjacking attacks, which involve a few simple steps:

  • An attacker wraps your page in an iframe
  • The iframe URL includes a query param with the same name as a form field
  • When the form is submitted, the query value is inserted into the database
  • The user's identifying information (email, address, etc) has been compromised

References

Examples related to forms

How do I hide the PHP explode delimiter from submitted form results? React - clearing an input value after form submit How to prevent page from reloading after form submit - JQuery Input type number "only numeric value" validation Redirecting to a page after submitting form in HTML Clearing input in vuejs form Cleanest way to reset forms Reactjs - Form input validation No value accessor for form control TypeScript-'s Angular Framework Error - "There is no directive with exportAs set to ngForm"

Examples related to web-standards

input type="submit" Vs button tag are they interchangeable? Create a HTML table where each TR is a FORM Valid content-type for XML, HTML and XHTML documents Is it a good practice to use an empty URL for a HTML form's action attribute? (action="") Is a DIV inside a TD a bad idea? What is the proper way to URL encode Unicode characters? How does one target IE7 and IE8 with valid CSS? Is there a query language for JSON? Is it valid to have a html form inside another html form? What's the difference between ISO 8601 and RFC 3339 Date Formats?

Examples related to string

How to split a string in two and store it in a field String method cannot be found in a main class method Kotlin - How to correctly concatenate a String Replacing a character from a certain index Remove quotes from String in Python Detect whether a Python string is a number or a letter How does String substring work in Swift How does String.Index work in Swift swift 3.0 Data to String? How to parse JSON string in Typescript

Examples related to html

Embed ruby within URL : Middleman Blog Please help me convert this script to a simple image slider Generating a list of pages (not posts) without the index file Why there is this "clear" class before footer? Is it possible to change the content HTML5 alert messages? Getting all files in directory with ajax DevTools failed to load SourceMap: Could not load content for chrome-extension How to set width of mat-table column in angular? How to open a link in new tab using angular? ERROR Error: Uncaught (in promise), Cannot match any routes. URL Segment