Arbitrary javascript can be executed on the 'Play' page of the site by editing the server name in pyspades ie;

in config file change server name to "<script>alert('oo');</script>"

This could be exploited further.