HTML content is not escaped in the two search fields in the default STK site (the default one at the top, and the one on the bottom on the results page).

E.g, search for

"><script>alert("xss");</script>

This works on the live Magnolia-cms.com site:

http://www.magnolia-cms.com/home/top-level/searchResult.html?queryStr=%22%3E%3Cscript%3Edocument.write%28%27%3Cobject+width%3D%22480%22+height%3D%22385%22%3E%3Cparam+name%3D%22movie%22+value%3D%22http%3A%2F%2Fwww.youtube.com%2Fv%2FiwGFalTRHDA%26amp%3Bhl%3Den_US%26amp%3Bfs%3D1%22%3E%3C%2Fparam%3E%3Cparam+name%3D%22allowFullScreen%22+value%3D%22true%22%3E%3C%2Fparam%3E%3Cparam+name%3D%22allowscriptaccess%22+value%3D%22always%22%3E%3C%2Fparam%3E%3Cembed+src%3D%22http%3A%2F%2Fwww.youtube.com%2Fv%2FiwGFalTRHDA%26amp%3Bhl%3Den_US%26amp%3Bfs%3D1%22+type%3D%22application%2Fx-shockwave-flash%22+allowscriptaccess%3D%22always%22+allowfullscreen%3D%22true%22+width%3D%22480%22+height%3D%22385%22%3E%3C%2Fembed%3E%3C%2Fobject%3E%27%29%3B%3C%2Fscript%3E

Related to issue MGNLSTK-617