potential XSS in chat log

[diracdeltas]

i wasn't able to test this because the demo is broken, but https://github.com/cjb/serverless-webrtc/blob/master/js/serverless-webrtc.js#L314 injects messages as HTML without escaping. so if alice sends <script>alert('hi')</script> to bob in the chat log, it may get executed in bob's browser (https://github.com/cjb/serverless-webrtc/blob/master/js/serverless-webrtc.js#L146)

[cjb]

@diracdeltas I can confirm the XSS worked :) Thanks for the report, fixed now!