[jameshart]

Completely misses the point of XSS and XSRF attacks. In those scenarios the 'attacking' browser is actually the attacker's victim. If you use this module, an attacker can link a victim to you and have your 'defences' arbitrarily attack them, making you part of the problem, not the solution.

[mikaelchoni]

Hmm... this never occurred to me. The future of the project is going to be socket.io packet analysis with detectives. The current http request analysis is really weak and not intended to be the main focus

If you want to prevent this from happening there will be http-xss and socket-xss detectives in the future, just leave out the http-xss to keep it safe. Optionally you could always set your payloads to logging only

[EButlerIV]

If it's not intended to be the main focus, why are you bothering to demo it now? Why not wait and show us something even slightly representative of what your project is supposed to be like?