Hi @Wegento

I am also getting report from my site PCI  as following

Injected into the "q" form parameter
(Using method POST) on
http://www.example.com/catalogsearch/result/:
1041: _gaq.push([
1042: '_trackEvent',
1043: 'Search',
1044: 'Search with no Results',
1045: "\\\"><script>992170282",

I am using Magento 1.4.1.1 version. Did you find a solution for this?

Thanks

Update : 

I was having the following code in my custom phtml file

_gaq.push(['_trackEvent', 'SiteSearch', <?php echo Mage::helper('core')->jsonEncode($this->helper('catalogSearch')->getQueryText()); ?> ,, <?php echo $this->getResultCount();?> , true]);

I replaced it with following

gaq.push(['_trackEvent', 'SiteSearch', <?php echo Mage::helper('core')->jsonEncode($this->helper('catalogSearch')->getEscapedQueryText()); ?> ,, <?php echo $this->getResultCount();?> , true]);

Notice in second code line  getEscapedQueryText())  and it fixed the issue.

Your custom template probably fails to properly sanitize the output. It needs to return the query string with something like this:

$this->__("Search results for: '%s'", $this->helper('catalogsearch')->getEscapedQueryText())

As to this one, somebody customized the template to push search queries to Google Analytics and doesn't understand properly escaping user provided content which needs to have

$this->escapeHtml()

applied to it.