HTML forms can be trivially manipulated, though, so treat the contents of submitted forms as untrusted input until you can verify otherwise.