Hello, I noticed today that if you search for the variable COMMENT (with % signs around it) in the search bar, it then brings up a comment box and you can then leave a comment box on the search page. I don't know if this is for all TWiki pages, because I didn't want to leave a random comment on the main website, but it worked for another TWiki based page.
Confirmed. The searched-for string is displayed on the WebSearch
page as is. Other variables are affected as well, try
Fix: The displayed search string needs to be entity escaped to prevent %VARIABLES% from getting expanded.
This is now fixed in SVN trunk and 5.0 branch. Thanks for reporting, Andrea!
BTW, I also put in a fix to escape TML; for example, searching for
text was shown rendered as italic