An attacker can construct a URL that will modify the action attribute of a HTML form to point to the attacker's server. Form content including CSRF tokens, user entered parameter values, and any other of the forms content will be delivered to the attacker via the hijacked action URL.

Consider hard-coding the form action URL, or implementing a whitelist of allowed values.