Note that HTML is not escaped correctly. I don't think this can lead to XSS because <> is removed and the word is not echoed inside any tag attribute, but escaping &, ', and " might be something to fix regardless.

Obligatory snowman: https://dro.pm/a.png