patched xss hole with messages not setting the content type correctly

services/web/app/coffee/Features/Chat/ChatController.coffee

@@ -25,4 +25,5 @@ module.exports =
 				logger.err err:err, query:query, "problem getting messages from chat api"
 				return res.send 500
 			logger.log length:messages?.length, "sending messages to client"
+			res.set 'Content-Type', 'application/json'
 			res.send messages

services/web/test/UnitTests/coffee/Chat/ChatControllerTests.coffee

@@ -33,7 +33,8 @@ describe "ChatController", ->
 					_id:@user_id
 			body:
 				content:@messageContent
-		@res = {}
+		@res =
+			set:sinon.stub()
 
 	describe "sendMessage", ->
 
@@ -69,6 +70,7 @@ describe "ChatController", ->
 			messages = [{content:"hello"}]
 			@ChatHandler.getMessages.callsArgWith(2, null, messages)
 			@res.send = (sentMessages)=>
+				@res.set.calledWith('Content-Type', 'application/json').should.equal true
 				sentMessages.should.deep.equal messages
 				done()
 			@ChatController.getMessages @req, @res