This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Due to the Content-type header of the response (JSON), exploitation of this vulnerability is not possible. The issue might be indirectly exploitable if a client-side script processes the response and embeds it into an HTML context. Manual confirmation is required.
Your script should filter metacharacters from user input.