swa66 - 5:49 pm on Jan 21, 2013 (gmt 0)
It doesn't matter that you do not echo back upon success, any way there is a possibility for echoing back unfiltered content is more than enough for an attacker to exploit it - even an error page is plenty of an opportunity.
The attacker does not need to use your form ... they can make their own (it might even not look like a form at all just a button or link is enough for them. If you process the input and send unfiltered output back: you lose (and/or your users lose).
Don't output unfiltered user input: running it through htmlencode() before you output it. will remove most of the problems. Actually: there are functional problems solved there too.