WAF Test: The search results deliberately reflect user input without sanitization. Try XSS payloads — the WAF should block them before the server renders them.