Check whether the text field is allowing <tags> script tags.. If this is allowed then the hacker can pass any script in the textfield itself.. Then use filters in passing the variables through post...