I visited Zipcar to see what car makes and models were available in my neighborhood. Alas, I couldn’t log in, because I couldn’t remember my password.
It, apparently, wasn’t one of my standard web passwords, nor was it in 1Password. (I haven’t logged in to the site in over a year.) So, I clicked their password-reset link…
At the first screen, I entered my e-mail address, and clicked Submit. This form’s HTML was trivial:
<form class="generic-form" method="post" action="user-login" id="login_form" name="login">
<fieldset class="dp_box">
<h2>Forgot your username or password? We can help.</h2>
Please verify yourself by providing your email address below:
<ul>
<li>
<label for="email">Email Address:</label>
<input type="text" id="email" name="email" size="20" /></li>
<li>
<div class="form-action-buttons">
<span class="graphical-btn"><button type="submit" class="submit">Submit</button></span></div></li>
</ul>
</fieldset>
</form>
Their server redirected me, I kid you not, to this URL:
https://www.zipcar.com/register/index?message=Enter+your+username+or+Zipcard+number+and+password%2e++
Your+username+was+orginally+made+up+of+the+first+part+of+your+e%2dmail+address%2c+
before+the+%27%40%27+sign+%28your+welcome+letter+has+this+information+as+
well%29%2e+Your+Zipcard+number+is+on+the+bottom+right+corner+of+your+Zipcard%2e.
There are two problems here. One, their password-reset sequence seems to be broken. Two, that URL is horrific.
Seek Nuance 
At least they appear to have considered the potential for cross-site scripting: https://www.zipcar.com/register/index?message=%3Cscript%3Ealert(%27foo%27);%3C/script%3E
That doesn’t remove the potential for making something embarrassing appear as if it’s coming from Zipcar, though: http://bit.ly/2w3J
@David: Oh, that’s excellent!