I just received 20 submissions in a form hosted on my website within 2 minutes. The only field that is filled in says alert('TK00000025') and each submission increases this number up to alert('TK00000036'). The field switches between forms, so one form has this in the name section with the next form having it in the email section. After this, there are four blank entries.
What is this and why did it happen? Is there anything I should do to prevent it?
In general:
1) Never Insert Untrusted Data Except in Allowed Locations
2) HTML Escape Before Inserting Untrusted Data into HTML Element Content
3) Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
4) JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
5) HTML escape JSON values in an HTML context and read the data with JSON.parse
6) CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
7) URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
8) Sanitize HTML Markup with a Library Designed for the Job
9) Prevent DOM-based XSS
If you do the fallowing I am sure you are pretty much safe as it is.
reference: Prevention Cheat Sheet