Steps to reproduce:

-Create a new issue type
-Add "><script>alert('Issue name')</script> as Issue name (mind the qoute at the beginning)
-Add "><script>alert('Issue desc')</script> as Issue Description
-Add /images/icons/issuetypes/genericissue.png "><script>alert('Issue icon')</script> as Issue Icon
-Make sure that this issue type is available on your project.
-Create a new issue
-Alerts, alerts everywhere.
-If you don't see the alerts, then click on the listbox.

So far this can be exploited on these fields : Issue Type icon/name, Priorities icon/name
These views seem to be affected: view issue, create/edit issue, detail view on list view, two dimensional filter statistic gadget (icon field)

I've been able to reproduce this on 6.08