In the live chat functionality, when we input html tags it is rendering html input from the customer as actual HTML in the live-chat and not text. This ability allows the attacker to inject links and other HTML elements in the hope of getting the customer support agent to fill out (i.e. username/password) through means of social engineering.