Is it a good practice to use an empty URL for a HTML form's action attribute? (action=“”)

Question

I am wondering if anyone can give a \"best practices\" response to using blank HTML form actions to post back to the current page.

There is a post asking what a blan

Answer 1

Not including the action attribute opens the page up to iframe clickjacking attacks, which involve a few simple steps:

• An attacker wraps your page in an iframe
• The iframe URL includes a query param with the same name as a form field
• When the form is submitted, the query value is inserted into the database
• The user's identifying information (email, address, etc) has been compromised

References

• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution