Query does need to be encoded in input field

search.php

@@ -24,7 +24,7 @@
                         die();
                     }
 
-                    echo "value=\"$query\"";
+                    echo "value=\"" . htmlspecialchars(trim($query)) . "\"";
                 ?>
             >
             <br>