You are capable of setting up a form and making the action a page on another server.  When you first did HTML forms you used an action on this server to repeat back your form data.  Someone could use that to mimic forms and send data to another server.  Imagine that you had created a form on your site to allow users to post a message to the site (a comment?).  You know that the form includes a field containing the user's ID number which you will store to record who sent the message.  You know it is a number so you do not bother sanitising the data.  However, someone else could mimic the form but make that field capable of sending text.

More sophisticated sites may have form data coming in from a rich text editor (Wordpress, Moodle etc.).  They cannot remove all HTML special characters because the editor is there to edit the pages (and they must contain HTML to work).  You don't worry about it because the editors are coded to strip out any dangerous content before they submit the data for saving.  Unfortunately if someone mimics the form they can send unchecked data to your server so you cannot trust it.

One protection is to check for the page which sent the data to your server.  If you have a page which shows a form you know the URL of that form.  You can then use $_SERVER["HTTP_REFERER"] and an if statement to check that the data did come from that URL.  You could do the same with $_GET data.  This is not perfect protection as a server can send the wrong data in HTTP headers and pretend to be another server but it does make attacks harder so start doing it.