And with a content injection vulnerability as well:
http://www.apple.com/au/support/ipod/service/label/diy.html?dispatchnumber=<img src=https://what.thedailywtf.com//uploads/default/8214/16c00f5bd6b57125.png>
http://i.imgur.com/qJaRfCe.png
Chrome's XSS Auditor protects against script injection, but I'm sure someone could manage a bypass (especially one targeted at older browsers) or a CSRF.