Interesting that it's *not* choosing a tld different to ".com" what
triggers the bug, but rather the language field ("hl").
In other words, if we change
[http://www.google.ae/search?hl=ar&q=<script>alert("1")</script>&meta=]
to [http://www.google.com/search?hl=ar&q=<script>alert("1")</script>&meta=.
..
triggers the bug, but rather the language field ("hl").
In other words, if we change
[http://www.google.ae/search?hl=ar&q=<script>alert("1")</script>&meta=]
to [http://www.google.com/search?hl=ar&q=<script>alert("1")</script>&meta=.
..
[ more ]