Yes, good catch. Even though you are doing a base64 decode it's still possible to encode the injection before submitting.