That's easy to say after the fact. If Google didn't have a comprehensive testing infrastructure, they'd have already made many worse mistakes than this.
Yeah, the problem seems to be incorrect validation rules in the code (assuming this "/" input was the real issue).
Both "TDD would catch this during coding" and "tests would catch this in regression testing" only hold if there is actually a specification of functionality with the correct input validation rules in the first place.
It seems more likely to me this is the more mundane situation that no one was paranoid enough about inputs in the first place.
This seems unlikely given that it was a data problem, not a coding problem, which caused the issue. Do you routinely run unit tests after hitting the Upload Content button on the website? I'm guessing that is a no. (Now the act of writing a unit test for "/" as input might have caused a programmer to say "Hey, the specification says that if we upload "/" in this file, then the entire Internet gets turned off. The specification is insane. Can we fix it?" But ordinarily you probably wouldn't run unit tests after upload just like you don't run a test suite after hitting Publish on your blog.)
I think it does casually suggest that there should have been a test for the '/' literal, which seems simplistic.
In addition to testing for google.com, a more robust test might be to assert that >90% (or some such threshhold) of results for a basket of random searches are not malware, as a sanity check.
Of course it's possible that a large proportion of random search results suddenly become malicious. But in that situation I'd want some alert to trip anyhow and get someone figure out what was happening to the web!
