Nice one including the XSS injection flaw posted to inj3ct0rs within your own page there. Did your forget to sanitize your own HTML?

Secondly, publicly publishing the email addresses of the (innocent) victims, and emailing those clients with To instead of Bcc fields are both really inconsiderate moves.