escape html in chat messages

public/javascripts/play.js

@@ -257,6 +257,10 @@ $(function() {
     }
   }
 
+  function escapeHTML(html) {
+    return $('<div/>').text(html).html();
+  }
+
   /* socket.io */
 
   function rematchAccepted() {
@@ -343,7 +347,7 @@ $(function() {
     var chat_node = $('ul#chat')[0];
     var messageSnd = $("#messageSnd")[0];
 
-    chat.append('<li class="' + data.color + ' left" >' + data.message + '</li>');
+    chat.append('<li class="' + data.color + ' left" >' + escapeHTML(data.message) + '</li>');
 
     if (chat.is(':visible') && chat_node.scrollHeight > 300) {
       setTimeout(function() { chat_node.scrollTop = chat_node.scrollHeight; }, 50);
@@ -567,7 +571,7 @@ $(function() {
 
     if (!/^\W*$/.test(message)) {
       input.val('');
-      $('ul#chat').append('<li class="' + color + ' right" >' + message + '</li>');
+      $('ul#chat').append('<li class="' + color + ' right" >' + escapeHTML(message) + '</li>');
 
       var chat_node = $('ul#chat')[0];
       if (chat_node.scrollHeight > 300) {

server.js

@@ -158,25 +158,16 @@ io.sockets.on('connection', function (socket) {
   });
 
   socket.on('new-move', function (data) {
-    var receiver, game;
-
-    if (!(data.token in games)) {
-      return;
-    }
-
-    game = games[data.token];
+    var opponent;
 
-    if (game.players[0].id == socket.id) {
-      receiver = game.players[1].socket;
-    } else if (game.players[1].id == socket.id) {
-      receiver = game.players[0].socket;
-    } else {
-      return;
+    if (data.token in games) {
+      opponent = getOpponent(data.token, socket);
+      if (opponent) {
+        opponent.socket.emit('move', {
+          'move': data.move
+        });
+      }
     }
-
-    receiver.emit('move', {
-      'move': data.move,
-    });
   });
 
   socket.on('resign', function (data) {