The Workload Pie Chart Report included with the JIRA charting plugin contains a number of XSS vulnerabilities. This plugin is bundled with OnDemand.

The configuration page contains an XSS vulnerability in custom field names.
1. Create a custom field with the name <script>alert('custom field')</script>
2. Try to create a workload pie chart report for a project
e.g. https://iceberg.jira-dev.com/secure/ConfigureReport!default.jspa?selectedProjectId=10002&reportKey=com.atlassian.jira.ext.charting:workloadpie-report

The view page contains XSS vulnerabilities in a number of fields - at least assignee (though the username), project name and labels.
1. Create an issue adding the label <script>alert('label')</script> and giving it an estimated completion time
2. View a workload pie chart report for the project the issue is in, choosing the labels field as the statistic type

e.g. https://iceberg.jira-dev.com/secure/ConfigureReport.jspa?projectOrFilterId=project-10002&statistictype=labels&issuetimetype=currentestimate&selectedProjectId=10002&reportKey=com.atlassian.jira.ext.charting%3Aworkloadpie-report&Next=Next