The provided commit history from the alkacon/apollo-template repository shows no security-related changes to search functionality or XSS mitigation. The vulnerability exists in opencms-core (not apollo-template), but no actual code changes or patch details are provided for the core module. While XSS vulnerabilities typically involve input handling and output encoding functions, the lack of specific code modifications in the provided materials prevents confident identification of exact vulnerable functions. The GHSA references suggest the search engine component is involved, but without seeing the patched code differences in org.opencms:opencms-core, we cannot reliably map this to specific runtime-detectable functions.