Congratulations, althought it's a pretty nice idea,
whoever made up this challenge, should've known better...
1. XSS-attack - actually just a poc and no attack
=> _don't_ output tainted data but use htmlentities() or whatever
2. RF-attack for spamming the web...
=> you should really cut away parameters, if you provide a 'service' like that...