It wouldn't be much of a security risk if the authors had correctly isolated user content into its own origin, which would have made this a self-xss only. As it stands the app itself runs on the same origin, so this is a real XSS.
Thanks! Isolating user content is the next task on the list — we discussed it internally just yesterday. Unfortunately, we didn't think we'll need it /that/ soon.
Long-term, we definitely need more security-minded folks on the team.
Short-term, I will add an email address in the footer so that such issues can at least be reported privately.
It wouldn't be much of a security risk if the authors had correctly isolated user content into its own origin, which would have made this a self-xss only. As it stands the app itself runs on the same origin, so this is a real XSS.