This form is intended to be submitted same domain, the PATH variable is filtered and HTML escaped however we can still inject a new url.