The GoInstant Chat widget provides real-time chat to users inside a room of your application.. This repo will no longer be updated. GoInstant will be discontinued as of August 31, 2014. Read our blog for more details.
The avatarUrl var in the message-template is susceptible to XSS, since it is inserted into our CSS without sanitation and users have permission the set the avatarUrl to anything.
This should be moved out of the template to use DOM instead. Similar to message text.
The
avatarUrlvar in themessage-templateis susceptible to XSS, since it is inserted into our CSS without sanitation and users have permission the set the avatarUrl to anything.This should be moved out of the template to use DOM instead. Similar to message text.