Watch out: virus/scam/spam sites can detect sites like yours and write tons of redirects, link them somewhere, and use your site's good reputation to get their scams on the home page. This is also a huge problem for redirect services.
If the wrong person publishes the wrong link, you can get your domain banned from Google and tons of other sites as a "security risk", which can spread to your email (if you use @joshcsimmons.com).
It's fine if you don't care about blacklists of course, but this kind of abuse can easily sneak up on you.
The client-side XSS is mostly harmless (assuming you don't have any other sensitive services running with cookies scoped to this domain), although it's technically a persistent XSS, which means it could be indexed by search engines.
But is there a server-side component to this? I noticed that the "disclaimer" is added in the source returned by the server, so I assume there is some code that checks whether the post is present on the home page? If so, that could be dangerous, if there is a bug in that code such that a malicious payload in the URL could get RCE in your server process.
I've just added some defensive programming to the site. Sorry to say. Appreciate that you hacked it with your image onerror, pretty clever.
TBH I haven't thought about most of these things. Nobody typically reads my blogs when I've made them before and this is likely the only interest it will get for quite a while.
If the wrong person publishes the wrong link, you can get your domain banned from Google and tons of other sites as a "security risk", which can spread to your email (if you use @joshcsimmons.com).
It's fine if you don't care about blacklists of course, but this kind of abuse can easily sneak up on you.