you stole 2 hours of my life with this site. So much fun.<p>After discovering that there's no XSS protection what so ever, the fun really started. I'm still sorry about that location.href='<a href="http://microsoft.com" rel="nofollow">http://microsoft.com</a>, but using a browser with JS disabled, we managed to find out how the script posts the message and were able to fix it that way.<p>Of course, then the "funny" people began crashing browsers using various methods.<p>That's when my coworker and I came up with the idea of fixing the hole by patching window.updateMessage, so everyone who was on the site when we were doing that was protected against further attempts at crashing browsers.<p>Now if we could have XSS protection built-in, this could really be so much fun. The "discussions" going on before the exploiting started all around were really funny.
Nice article, and an interesting combination of technologies! Maybe it's a little bit off topic, but I had a look at <a href="http://streethoarding.com/" rel="nofollow">http://streethoarding.com/</a> to see the thing in action. I like the idea and execution (it runs pretty fast; very very simple design; would be interesting to see how well it runs with a huge amount of visitors) and as curious as I am (especially regarding security), the first thing I entered was some JavaScript code. Guess what, no input sanitation :)
Checking out your code it looks like you're just polling (not longpolling)? Instead of just holding the connection open and waiting for a new message you pass the latest message and let the client reconnect.
I use node like this (really simplified but still): <a href="http://blog.dispostable.com/instant-mail-notifications-using-nodejs" rel="nofollow">http://blog.dispostable.com/instant-mail-notifications-using...</a>
this is based heavily on the node_chat app that _ry wrote as a node example. on github, fyi. i know cause ive used it myself to figure out how node does its thing.