Passive stored XSS at broadcast room

The hacker found that a specially crafted app names could insert a small amount of data into an A tag's href in the "Broadcaster is running these apps: " chat text. Because of the character limit this required multiple successive clicks on different app names, and in the example utilised the room subject. Due to this and that the broadcaster would be required to use specially crafted apps, the scope of attack is limited. We quickly resolved this issue.