XSS by writing the message:

  <i<script></script>mg src="#" onerror="alert(1)">

Just stripping out tags doesn't work. Stripping out the script tags there simply ends up creating another new tag. You need to understand and implement proper escaping.

Cool! Looks like HTML injection isn't blocked whatsoever. With chat messages being loaded as people enter, it could lead to someone exploiting everyone that enters your site.

We created this in Meteor.js, pretty fun. Great for short term chat rooms that don't need a sign up. Would love feedback!

Please fix it : <IMG SRC=# onmouseover="alert('xxs')">

People ... It still has XSS issues ..