

Show HN: Roomchat – No signup instant custom chat rooms - nerdburn
http://roomchat.co

======
mike-cardwell
XSS by writing the message:

    
    
      <i<script></script>mg src="#" onerror="alert(1)">
    

Just stripping out tags doesn't work. Stripping out the script tags there
simply ends up creating another new tag. You need to understand and implement
proper escaping.

------
timebomb
Cool! Looks like HTML injection isn't blocked whatsoever. With chat messages
being loaded as people enter, it could lead to someone exploiting everyone
that enters your site.

~~~
nerdburn
Ha, good catch! It's just a toy at this point, but we'll fix that asap.

------
nerdburn
We created this in Meteor.js, pretty fun. Great for short term chat rooms that
don't need a sign up. Would love feedback!

------
nautical
Please fix it : <IMG SRC=# onmouseover="alert('xxs')">

------
nautical
People ... It still has XSS issues ..

