I'm really paranoid about whether my donation form is safe from XSS or not (maybe I've been reading too many XSS articles). I've used the button generator provided by PayPal and inserted that into my page, but I also added a select element which has the 'item_name' value as its name attribute (one of PayPals html values):
i.e. like this:
<select name="item_name">
<option>...</option>
...
</select>
My first concern is whether that okay to do, because I'm storing the donate button in my account as a saved button, and PayPal says to put the code they give you "as-is" into your page, without alteration. I know its self evident, but its just a cheeky select element that'll make a better user experience :P. Is that okay?
Another question I want to ask is should I make the action attribute on the form that PayPal has given me point to a function in my controller which sanitizes the select elements value using htmlspecialchars() (is it even necessary to check the select element for such a purpose?), and in that function somehow point back to the PayPal url?
I don't have any other form on my website apart from an email me form, which I will apply XSS filtering to, but this PayPal form has got me confused as to how I need to protect it.