too bad, that was an obvious risk

<script type=”text/javascript”>document.getElementById(‘map’).innerHTML=’<iframe src=”http://www.cgisecurity.com/articles/xss-faq.shtml#nofix” width=”500″ height=”200″ />’;</script>

There will also be flood protection built in.

And there will be a downloadable package priced at around $50 to $100 (according to the developer who was in the room), so people can use the Map Chat on their own website.
This, however, requires the “WebORB” server (on .NET) but they are planning to make a reduced server version that can be bundled with the Map Chat app. Woot!

All in all, an incredibly cool Ajax application that combines lots of things (Ajax chat, presence notification, geolocating with around 80% accuracy, Google Maps, the incredible “Map Sharing” feature and more) while still running quite fast.

Kudos to the Midnight Coders for this one!

I really don’t care about “javascript security hole” or XSS knowing that these things can and will easily be fixed. Why did you only comment on that? *sigh*
I’m sure that the next version will blow your mind.

Because such a blatantly obvious hole should be plugged *before* going live. The hole was wide open for at least 12 hours. The site was pretty busy. An awful lot of web sessions could have been hijacked by a malicious user. But if you don’t care, because you’re willing to take the risk that it won’t be *your* session that gets bugged, then that’s fine. But Midnight Coders should care.