Most of you will remember a post from a few days ago about how awesome NowJS is, and that you could create a chat server in 12 Lines of Code using it. This post is just to point out that there is no encoding/sanitization of harmful inputs going on in that code example - which means that it's a really bad idea to have it deployed live anywhere. Anyone could post something like <script> alert('this could have been malicious')</script>, and all clients would suddenly get that code pushed to them by the server.
I'm not trying to be a naysayer or anything - I love node.js. But I'm pretty sure I read about a college that was using the 12 line chat server to talk to newly admitted students. That's dangerous, and I wanted to point that out.
