Hello!
I believe I've found security problem while reading the source.
Everyone, including Evil Hacker, can send 'meta.rooms.enter' through websocket with any payload. It is as easy as open browser developers console.
So. Suppose Bob want to attack Alice.
Prerequisite: Alice reading forum topic number 111 alongside with no more than 10 (AFAIR) other users.
Attack: Bob sends 'meta.room.enter' with special payload. Example:
{
enter: 'topic_111',
username: 'Evil Hacker',
userslug: 'evil-hacker',
picture: 'https://secure.gravatar.com/avatar/22947111265b6570f10db18be78259a7?size=128&default=identicon&rating=pg" onload="alert(\'Watch your back, bro!\');'
}
Result: Bobs code is executed in Alices browser.
I've tried it on my local machine with NodeBB from master. What do you think about?