WARNING: DO NOT TRY TO CHAT WITH PEOPLE - BAD THINGS WILL HAPPEN - READ BELOW
Uhh, it's possible to inject Javascript into this. There are two people that already did this. One is harmless and alerts "Wufff!" and the other redirects you to pornhub.
[edit] Now there's another that redirects you to lemonparty.
[edit 2] Now there's another that redirects you here. It's fun watching this play out live, with the nice vs. the mean HNers.
Shameless plug: We develop a tool that detects vulnerabilities such as this automatically (even in JavaScript based web apps) - https://www.netsparker.com/netsparker/
Does anyone know a good open-source version of this type of functionality. I have a client now that wants me to add this to their site but the data cannot go through a third-party company.
My stack is django-based but I am open to any solution that works well.
Also, out of curiosity, if dropinchat provided a virtual appliance so that you didn't need to send the messages off network would that address your security concerns?
Very nice, I'll be keeping an eye on this. I'm sure you guys have a million other things to do, but don't forget handling multiple tabs by the same user.
e: Ah, and somebody's already trying to inject javascript. You rascals ;)
I do need a messaging service for my product! Can it be used in production currently? I'm also curious about whether you provide the video conference api in the future or not? That would be useful!
Hi waitingkuo. Thanks for the encouragement. Currently I wouldn't recommend using Drop-In Chat in a production context as the code is too new and not really stable. When we get to the point we think the product is ready for production use we'll make an announcement.
At this point we do not have plans to add video conferencing support.
One of the app authors here. We did this for YC hacks and ran out of time (30 hours). At this point we don't store the chats for anything but we plan on adding that soon. At that point, the admin should be able to search.
Please let us know if we can do anything to improve the app for a possible use case for you.
Thanks Walkman. That is a good idea. We had thought of group chats and chat rooms but a public "broadcast to all" option is interesting too. Kind of like a default room that everyone is in. Is that what you are saying?
For the time being we are going to keep this completely free to gauge interest. At some point we would likely charge, but at this point don't have solid plans about what the pricing would look like. Sorry I can't be more precise.
I think the intent of our app is slightly different than yours. Our hope was to allow users of authenticated web applications to chat with one another. Our demo is misleading in this regard as all visitors to dropinchat.com get dropped into a single "chat group" (we din't want users to need to register in order to try it out). We think that apps this product might work well with are enterprise style collaborative applications (where users are already authenticated).
Thanks for the encouragement. What we have is certainly just a first step. We will continue to keep making incremental improvements now that YC Hacks is over.
The code we used for this particular site isn't Open Source yet. We are still trying to figure out what we want to do with it before we make that decision.
XMPP seems really great in a context of needing to inter-operate with other servers. However, for our use-case all communication was in a silo of a single site so this was not a major benefit to Drop-In Chat.
Our team wants broad broad browser support (for legacy corporate deployments) and a well-tested client side module. BrowserChannel, which is used for gmail chat, is very widely deployed and well tested.
Maybe I'm missing something, but even if we went with XMPP, wouldn't Drop-In Chat still need a way to stream messages from the server to the client? If so, we would still need to rely on a transport mechanism like websockets/XHR streaming/forever iframes for the in-browser real time message delivery. BrowserChannel/WebChannel bundles up this abstraction nicely and hides all the ugliness of dealing with browser quirks for streaming message delivery.
I agree. If at some point dropinchat.com allowed for messaging between networks XMPP support would be great to add. At this point we only allowing for messaging other drop in chat users so no such protocol is needed. My only point was that we didn't "reinvent the wheel" by not using XMPP. Instead we just don't allow cross network messaging yet.
I looked at chatango and I think the intended use case is a bit different than dropinchat. Drop-in chat provides user-to-user instant messaging. As best I can tell, chatango (primarily?) provides broadcast style communication. Is this correct?
Chatango is primarily focused on group chats, but you can send private messages as well. Dropinchat.com mentions "chat groups". Are they only for user-to-user messages?
At this point dropinchat.com does not support sending messages to more than one user. However, we do plan to add that feature as our team has time.
The documentation on dropinchat.com mentions "groups" as a set of users which are allowed to see one another and message back and forth. Our team thinks this use case might be helpful, for example, for a website administrator to limiting communication between members on a given organizational team or individuals in a certain building, etc.
Uhh, it's possible to inject Javascript into this. There are two people that already did this. One is harmless and alerts "Wufff!" and the other redirects you to pornhub.
[edit] Now there's another that redirects you to lemonparty.
[edit 2] Now there's another that redirects you here. It's fun watching this play out live, with the nice vs. the mean HNers.