Hei! Nice catch! I like it!
But as I don’t save anything in DB and do not provide permanent links, it’s a completely stateless app — how can you damage anyone but yourself? Do you have an example of possible damage use case and why do you think it’s still an issue I should fix?
I didn’t pay attention to JS/HTML injection because of stateless nature of the app.