The input is sanitized: https://github.com/prometheus-ar/vot.ar/blob/master/msa/voto...

It's just that people are too eager to scream "vulnerability!" without properly checking it before.

Correct me if I am wrong but client side sanitization does not really count. It is really easy to bypass that check (send packets directly to the backend or use dev tools for example)

No, because it's not a website with a network between the backend and frontend. It's a desktop app, with no network connection, just using html for the gui. Nobody can send packages to it.