You're talking about injection attacks when escaping isn't present.
CSRF is cross site request forgery, f.ex. creating a POST form on a hostile site that targets a POST processing endpoint in on site with data that the user didn't want to supply, but whose login cookie would authorize the request at the target.
Many frameworks inject an per-user "authentication" cookie in form's that is validated upon request, this way an attacker cannot trick the users browser to submit data since they don't have the correct CSRF-cookie.
CSRF is cross site request forgery, f.ex. creating a POST form on a hostile site that targets a POST processing endpoint in on site with data that the user didn't want to supply, but whose login cookie would authorize the request at the target.
Many frameworks inject an per-user "authentication" cookie in form's that is validated upon request, this way an attacker cannot trick the users browser to submit data since they don't have the correct CSRF-cookie.
https://owasp.org/www-community/attacks/csrf
https://developer.mozilla.org/en-US/docs/Web/Security/Attack...