Esri XSS

ESRI make and create maps and GIS systems. I have been looking at their website that uses their technology. Do a google search on "JavascriptFunction" and "Esri" and you will see that one of the parameters used with the java servlets is a callback named "JavascriptFunction". Usually, it is applied with the value "parent.MapFrame.processXML". But you can easily inject your choice of XSS. I fear this might cause a real problem for ESRI though that could potentially take a little while to blat this problem out (looking from a developer point of view). I am trying to contact ESRI about it. Maybe I will release on bugtracker for a laugh! ;)