A search endpoint is vulnerable to an XSS injection in certain cases.

Normally, the browser will urlencode its requests, but some proxy servers and load balancers will decode URL data by default. (see http://stackoverflow.com/questions/31266629/nginx-encoding-normalizing-part-of-uri)