Last modified: 2014-02-12 23:52:38 UTC
This seems rather frightening... html = html + "<div class=\"suggestions-result\" rel=\"" + rel + "\" title=\"" + section.label + "\"><a class=\"sq-val-update\" href=\"javascript:sqValUpdate('" + section.label + "');\">+</a><a class=\"search-result-item\" href='" + section.value + "'>" + section.label + "</a></div>"; There's no HTML escaping on strings being placed into HTML output, nor any JavaScript escaping of strings being placed into JavaScript source code (which itself is being placed in HTML output). Page titles can contain ", ', and things like onclick="blah blah" so you really need to be escaping your output before little bobby tables comes to play...
Fix for this issue is in r101761.