Reflected search output strips only literal <script> tags before using inner HTML.
Try /search?q=....
/search?q=...