Is there a way to prevent that a malicious person crafts a piece of code that changes the value of an action attribute?
Like when you have this line of html:
<form method="post" name="register" action="<?php echo $_SERVER['PHP_SELF']; ?>">
but the attacker places the entire script on his own server.
Is this XSS? What are the consequences of gaining/finding protected data?
If this kind of attack is possible, can someone show with an example how this is done?