Phishing without XSS

This form is intended to be submitted same domain, the PATH variable is filtered and HTML escaped however we can still inject a new url.

Username:

Password: