If you see this, you're not properly implementing CSRF tokens. td.win needs to do user- and session-unique CSRF tokens embedded into the form data.
Your code is closed source, so I kinda have to do this if I'm going to trust this site.
Apologies in advance if I break anything
HTML sanitization. These should all be displayed as text. If TD.W fails to sanitize, these will be rendered as elements. <script>alert('123')</script><iframe src="https://thedonald.win"></iframe><img src="https://i.redd.it/2iiivbyeejgy.jpg">
SQL sanitization: I hope to god that you're not saving user-submitted text directly. If you are, well, I hope you made backups. ';--";--"; DROP TABLE Users;--
XSRF prevention: Going to test with JSFiddle. Results will be in comments.