The use of htmlentities() on a plain-text e-mail does nothing to help
prevent cross-site
attacks—in fact, it may cause it to become unreadable for the
recipient. Enforcing the use of
POST variables only makes it harder for a would-be hacker to spoof
your form (although not
impossible), while ensuring that the e-mail field (which will become
the To: header in the email)
does not contain newline characters helps prevent a malicious user
from adding his own e-mail address to that of the user and receiving a
copy of the e-mail. Therefore,
Answers C and E are correct.