XSS by writing the message:<p><pre><code> <i<script></script>mg src="#" onerror="alert(1)">
</code></pre>
Just stripping out tags doesn't work. Stripping out the script tags there simply ends up creating another new tag. You need to understand and implement proper escaping.
Cool! Looks like HTML injection isn't blocked whatsoever. With chat messages being loaded as people enter, it could lead to someone exploiting everyone that enters your site.