So far there has been several GIF's embedded. An alert for your document.cookie, and a redirect to another gif. You can safely say it's not escaping the HTML input on the leader board.
Also the matching words shouldn't be passed to the client, keep as much data server side as possible to elevate some of the cheating, your never going to stop all of it but that should deter most people.
All in all though kudos, looks a decent outcome for a hack project.
"the matching words shouldn't be passed to the client, keep as much data server side"
Communication cost between clients and server would be too high I guess. Also you would notice the delay between entering a word and getting the reply from the server.
Also the matching words shouldn't be passed to the client, keep as much data server side as possible to elevate some of the cheating, your never going to stop all of it but that should deter most people.
All in all though kudos, looks a decent outcome for a hack project.