The exploit looks like this:
http://portale.unitn.it/scienze/search.do
?action_to_do=search_matching_values
&all=all
&cerca=Cerca
&channelId=-12827
&fast_search_radio=obj-search-quick-radio-unitn
&hidden_flag=hidden_flag
&page=/jsp/commonresultLucene.jsp
&pageToCall=show_all_people
&schInto=portal
&schOrder=orderRel
&schType=schAllWord
&search=
&text="<p/><_INJECTION_GOES_HERE_>
Javascript injection works without restrictions, and html injection of course too. So I build a simple exploit in honor of my friend Maurizio Grasso, take a look at it:
http://portale.unitn.it/scienze
I encourage all of you to install the "noscript" plugin for firefox, that blocks such an attack very easily.