So the attack vector here is to send someone a link to the search results page with a malicious query that injects JS into the page to decode the users password and then submit it to the attacker's backend collection server? Is that right?
No. A more effective vector would be to send them to a funny video page to watch, that has nothing to do with McDonalds. And inside that video page you have a hidden iframe pointing to the malicious query which submits the McDonald's password to another backend server.
That's the basic principle of XSS. A few years ago an XSS epidemic broke out where dozens of major websites were found to be vulnerable to cookie theft. Attackers could make a single page with dozens of sneaky iframes, one per vulnerability. Usually the contents of the cookie allows you to continue a user's session, though there can be all kinds of stuff idiotically stored directly in the cookie, as can be seen in this prime example.