All versions of Candy Chat are vulnerable to an XSS attack by message senders, permitting remote code execution within the page