The hacker will then check if the form injected on your form will be shown on the page. If it does, they generate links to your site's form processors. The unsuspecting users will then type in their info. and the injected form will be process on the hacker's site.
Try this on your localhost. Create a file name hack.php and paste the codes below
I just want to add that my demonstration will work even on upload form. So, be careful if your site is allowing users to upload. You need to screen those files if they are allowed or not. Otherwise, malicious scripts can be uploaded to your site.