Difficulty

Intermediate

Read Time

9 min

Blog Comment System on Firebase: XSS Protection and $0 Cost

By Codcompass Team·2026-05-31·9 min read

Architecting a Zero-Dependency Comment Engine with Firebase Realtime Database

Current Situation Analysis

Static site generators and Jamstack frameworks have pushed frontend performance to unprecedented levels. Developers meticulously optimize bundle sizes, defer non-critical scripts, and chase perfect Core Web Vitals scores. Yet, a single integration routinely negates these efforts: third-party comment widgets.

The industry treats engagement tools as commoditized drop-ins. A <script> tag from a SaaS provider promises instant community features, but it introduces three compounding liabilities:

Supply Chain Exposure: External widgets execute with full origin privileges. If the provider's CDN is compromised, or a dependency in their build pipeline is hijacked, malicious code runs in your users' browsers with access to cookies, local storage, and DOM manipulation capabilities. The 2022 event-stream npm compromise demonstrated how quickly a single vulnerable dependency can cascade into millions of projects.
Performance Degradation: Commercial comment systems typically inject 10–15 external requests and 400–600 KB of JavaScript. This directly inflates Time to Interactive (TTI) and Cumulative Layout Shift (CLS), triggering search ranking penalties and increasing bounce rates on mobile networks.
Data Sovereignty Loss: User-generated content lives on third-party infrastructure. Exporting it requires API calls, migration tools, or manual scraping. Terms of service changes can suddenly introduce ads, tracking pixels, or paywalls behind previously free features.

These risks are frequently overlooked because the perceived engineering overhead of building a custom solution outweighs the abstract threat model. Developers assume sanitization libraries and rate-limiting middleware will suffice, ignoring that client-side validation is inherently bypassable and third-party scripts operate outside your security perimeter.

WOW Moment: Key Findings

Replacing a commercial widget with a self-hosted Firebase Realtime Database (RTDB) implementation flips the risk/reward ratio. The following comparison illustrates the architectural shift:

Approach	External Requests	JS Payload	Data Ownership	XSS Attack Surface	Monthly Cost
Commercial Widget	10–15	400–600 KB	Provider	Medium (relies on client sanitization)	$0–$11+
GitHub Issues API	3–5	~120 KB	Partial (GitHub TOS)	Low (Markdown sandboxed)	$0
Firebase RTDB (Self-Hosted)	0	~18 KB	100%	Minimal (DOM API enforced)	$0

Why this matters: Firebase RTDB synchronizes data over persistent WebSocket connections, eliminating polling overhead. Security rules execute server-side, making client-side bypasses impossible. The Spark Plan provides 1 GB of storage, 10 GB/month outbound transfer, 100 concurrent connections, and 400,000 read/write operations daily. At an average comment size of 300–500 bytes, the free tier comfortably hosts 2–3 million entries, making it viable for high-traffic publications without infrastructure management.

Core Solution

Building a production-ready comment engine requires three layers: infrastructure provisioning, server-side validation, and a secure frontend renderer. We will use Firebase RTDB for real-time synchronization, TypeScript for type safety, and the DOM Creation API to eliminate HTML injection vectors.

1. Infrastructure Provisioning

Firebase RTDB stores data as a JSON tree. Unlike relational databases, it has no schema enforcement at the storage layer, which makes server-side rules mandatory. Create a project in the Firebase Console, enable Realtime Database, and select a region geographically close to your primary audience (us-central1 or europe-west1). Initialize the project in test mode temporarily; we will lock it down immediately after verifying connectivity.

Extract the web app configuration object. This contains the routing endpoints and authentication

identifiers required by the modular SDK.

2. Server-Side Validation Architecture

Client-side validation is a UX convenience, not a security boundary. All structural constraints must be enforced by Firebase Security Rules. These rules compile to a deterministic evaluation engine on Google's infrastructure, meaning they cannot be altered or bypassed by browser developer tools.

The rule set enforces:

Append-only writes: Existing records cannot be modified or deleted by clients.
Type enforcement: Fields must be strings or numbers, rejecting arrays, objects, or null values.
Length boundaries: Prevents payload flooding and storage exhaustion.
Temporal validation: Rejects entries with future timestamps, preventing clock manipulation attacks.

3. Frontend Implementation Strategy

The frontend handles three responsibilities: connection lifecycle management, secure DOM rendering, and user input dispatch. We avoid innerHTML entirely. Instead, we construct elements using document.createElement() and assign user data via textContent. This guarantees that any injected markup is rendered as literal text, neutralizing XSS payloads at the browser level.

We also implement connection cleanup. Realtime listeners consume persistent WebSocket slots. Navigating away from a page without unsubscribing leaks connections, eventually hitting the 100-concurrent limit on the free tier.

4. TypeScript Implementation

The following implementation uses a modular architecture with explicit typing, connection management, and safe rendering.

import { initializeApp } from 'firebase/app';
import { getDatabase, ref, push, onValue, off, Query } from 'firebase/database';

interface RtdbConfig {
  apiKey: string;
  authDomain: string;
  databaseURL: string;
  projectId: string;
  storageBucket: string;
  messagingSenderId: string;
  appId: string;
}

interface CommentEntry {
  author: string;
  body: string;
  postedAt: number;
}

interface CommentNode extends CommentEntry {
  key: string;
}

class EngagementStore {
  private db: ReturnType<typeof getDatabase>;
  private activeListeners: Map<string, Query> = new Map();

  constructor(config: RtdbConfig) {
    const app = initializeApp(config);
    this.db = getDatabase(app);
  }

  async dispatchEntry(articleRef: string, author: string, body: string): Promise<void> {
    const targetPath = `engagement_log/${articleRef}`;
    const entryRef = ref(this.db, targetPath);
    
    const payload: CommentEntry = {
      author: author.trim().slice(0, 45),
      body: body.trim().slice(0, 950),
      postedAt: Date.now()
    };

    await push(entryRef, payload);
  }

  subscribeToThread(articleRef: string, container: HTMLElement, onUpdate: (entries: CommentNode[]) => void): void {
    const targetPath = `engagement_log/${articleRef}`;
    const queryRef = ref(this.db, targetPath);

    // Cleanup previous listener if exists
    this.unsubscribeFrom(articleRef);

    const unsubscribe = onValue(queryRef, (snapshot) => {
      const entries: CommentNode[] = [];
      snapshot.forEach((child) => {
        entries.push({ key: child.key, ...child.val() });
      });
      onUpdate(entries);
    });

    this.activeListeners.set(articleRef, queryRef);
    (queryRef as any)._unsubscribe = unsubscribe;
  }

  unsubscribeFrom(articleRef: string): void {
    const queryRef = this.activeListeners.get(articleRef);
    if (queryRef) {
      const unsubscribe = (queryRef as any)._unsubscribe;
      if (unsubscribe) unsubscribe();
      off(queryRef);
      this.activeListeners.delete(articleRef);
    }
  }
}

function buildCommentCard(entry: CommentNode): HTMLLIElement {
  const card = document.createElement('li');
  card.dataset.entryId = entry.key;
  card.className = 'comment-card';

  const header = document.createElement('header');
  header.className = 'comment-header';

  const authorTag = document.createElement('strong');
  authorTag.textContent = entry.author;

  const timestamp = document.createElement('time');
  const dateObj = new Date(entry.postedAt);
  timestamp.textContent = dateObj.toLocaleDateString('en-US', {
    day: 'numeric', month: 'short', year: 'numeric'
  });
  timestamp.setAttribute('datetime', dateObj.toISOString());

  header.appendChild(authorTag);
  header.appendChild(timestamp);

  const content = document.createElement('p');
  content.textContent = entry.body;

  card.appendChild(header);
  card.appendChild(content);

  return card;
}

function renderThread(entries: CommentNode[], container: HTMLElement): void {
  container.innerHTML = '';
  entries.forEach((entry) => {
    container.appendChild(buildCommentCard(entry));
  });
}

Architecture Rationale

RTDB over Firestore: Firestore requires additional indexing for queries and has higher latency for simple real-time sync. RTDB's JSON tree structure and native WebSocket sync are optimized for flat, append-heavy workloads like comments.
textContent over sanitization libraries: Libraries like DOMPurify add ~15 KB to your bundle and require regex parsing. textContent is a native browser API that guarantees zero HTML interpretation, reducing bundle size and eliminating parsing edge cases.
Connection lifecycle management: The subscribeToThread and unsubscribeFrom methods prevent WebSocket leaks. This is critical for single-page applications or sites with client-side routing.
Append-only design: The security rule !data.exists() ensures clients cannot alter historical data. Moderation must occur through the Firebase Console or admin SDK, preserving audit integrity.

Pitfall Guide

1. Trusting Client-Side Validation

Explanation: Relying on JavaScript length checks or type validation before sending data to Firebase creates a false sense of security. Attackers can craft raw HTTP requests or modify browser code to bypass frontend guards. Fix: Duplicate all validation logic in Firebase Security Rules. Treat client-side checks as UX enhancements only.

2. Using `innerHTML` for Dynamic Content

Explanation: Assigning user input directly to innerHTML forces the browser to parse the string as HTML. Malicious payloads like <img src=x onerror=alert(1)> execute immediately. Fix: Use document.createElement() and textContent. If rich text is required, use a strict Markdown parser that outputs safe HTML, then sanitize with a library like DOMPurify before insertion.

3. Ignoring Connection Limits

Explanation: The Spark Plan caps at 100 simultaneous connections. Failing to unsubscribe from onValue listeners when users navigate away causes connection exhaustion, resulting in PERMISSION_DENIED or timeout errors. Fix: Implement a connection manager that tracks active listeners and calls off() or the unsubscribe callback during route changes or component unmounts.

4. Timestamp Manipulation

Explanation: Clients can set postedAt to future dates, disrupting chronological ordering or bypassing time-based rules. Fix: Enforce newData.child('postedAt').val() <= now in security rules. The now variable is evaluated server-side using Google's authoritative clock.

5. Unbounded Data Growth

Explanation: While 1 GB seems large, high-traffic sites can accumulate millions of entries. Without archival, query performance degrades, and export operations become unwieldy. Fix: Implement a background Cloud Function that moves entries older than 12 months to Cloud Storage or Firestore. Add pagination or virtual scrolling for threads exceeding 50 entries.

6. Missing Error Boundaries

Explanation: Network interruptions, quota exhaustion, or rule violations throw unhandled promise rejections, breaking the UI state. Fix: Wrap push() calls in try/catch blocks. Display user-friendly feedback for quota limits or validation failures. Implement exponential backoff for retry logic.

7. Over-Engineering Threading

Explanation: Nested reply structures require complex recursive rules and complicate real-time sync. They also increase payload size and rendering complexity. Fix: Use flat mentions (@username) for replies. This preserves conversation context while keeping the data structure linear and rules deterministic.

Production Bundle

Action Checklist

Provision Firebase project and enable Realtime Database in a region close to your audience
Deploy security rules enforcing append-only writes, type validation, length limits, and temporal checks
Initialize Firebase SDK v10+ with modular imports and configure connection lifecycle hooks
Replace all innerHTML assignments with document.createElement() and textContent
Implement try/catch error handling around push() operations with user feedback
Add connection cleanup logic to prevent WebSocket leaks during client-side navigation
Test rule enforcement using Firebase Emulator Suite before production deployment
Monitor concurrent connections and read/write operations via Firebase Console metrics

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
Personal blog (< 10k monthly visitors)	Firebase RTDB (Spark Plan)	Zero cost, real-time sync, minimal maintenance	$0
High-traffic publication (> 500k monthly visitors)	Firestore + Cloud Functions	Better scaling, advanced querying, automatic sharding	~$15–$40/mo
Enterprise compliance (GDPR/HIPAA)	Self-hosted PostgreSQL + Node.js	Full data residency control, audit logging, encryption at rest	Infrastructure + DevOps
Minimal dev time required	GitHub Issues API	Zero backend code, Markdown support, existing auth	$0 (but limited UX)

Configuration Template

Firebase Security Rules

{
  "rules": {
    "engagement_log": {
      "$articleId": {
        "$entryId": {
          ".read": true,
          ".write": "!data.exists()",
          ".validate": "newData.hasChildren(['author', 'body', 'postedAt']) &&
                        newData.child('author').isString() &&
                        newData.child('author').val().length >= 1 &&
                        newData.child('author').val().length <= 45 &&
                        newData.child('body').isString() &&
                        newData.child('body').val().length >= 1 &&
                        newData.child('body').val().length <= 950 &&
                        newData.child('postedAt').isNumber() &&
                        newData.child('postedAt').val() <= now"
        }
      }
    }
  }
}

TypeScript SDK Initialization

import { initializeApp } from 'firebase/app';
import { getDatabase } from 'firebase/database';

const rtdbConfig = {
  apiKey: process.env.FIREBASE_API_KEY || '',
  authDomain: process.env.FIREBASE_AUTH_DOMAIN || '',
  databaseURL: process.env.FIREBASE_DATABASE_URL || '',
  projectId: process.env.FIREBASE_PROJECT_ID || '',
  storageBucket: process.env.FIREBASE_STORAGE_BUCKET || '',
  messagingSenderId: process.env.FIREBASE_MESSAGING_SENDER_ID || '',
  appId: process.env.FIREBASE_APP_ID || ''
};

const app = initializeApp(rtdbConfig);
export const db = getDatabase(app);
export const store = new EngagementStore(rtdbConfig);

Quick Start Guide

Create Firebase Project: Navigate to the Firebase Console, create a new project, and enable Realtime Database. Select a region and start in test mode.
Deploy Security Rules: Replace the default rules with the append-only, type-enforced template. Save and verify syntax validation passes.
Initialize SDK: Install firebase via npm, copy the web app configuration, and instantiate the database module. Import the EngagementStore class into your frontend entry point.
Wire UI Components: Attach store.dispatchEntry() to your form submission handler. Call store.subscribeToThread() on page load, passing your container element and the renderThread callback.
Validate & Monitor: Submit test entries with edge-case payloads (empty strings, maximum lengths, future timestamps). Verify rule enforcement in the Firebase Console logs and monitor connection counts during navigation.

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

7-day free trial · Cancel anytime · 30-day money-back