Skip to content

Add Firebase validation rules and client-side guards for user name and avatar URL#196

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/add-firebase-protection
Draft

Add Firebase validation rules and client-side guards for user name and avatar URL#196
Copilot wants to merge 2 commits intomainfrom
copilot/add-firebase-protection

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

Users could write arbitrary strings as display names or any URL (including javascript:, http:, or malformed) as avatar URLs directly to the Realtime Database.

Firebase Database Rules (database.rules.json)

Field-level .validate rules added to users/$uid:

Field Rule
name Non-empty string, 1–64 chars, at least one non-whitespace character
photoURL HTTPS-only URL (/^https:\/\/\S+/), max 500 chars; deletion allowed
uid Must equal $uid (prevents spoofing)
search / language Length-bounded strings
fcmToken / fcmTokens Token strings and metadata validated
$other false — blocks arbitrary field injection 
"name": {
  ".validate": "newData.isString() && newData.val().length >= 1 && newData.val().length <= 64 && newData.val().matches(/\\S/)"
},
"photoURL": {
  ".validate": "newData.isString() && newData.val().length <= 500 && newData.val().matches(/^https:\\/\\/\\S+/)"
},
"$other": { ".validate": false }

Client-side (Profile.tsx)

  • validateProfile() runs the same constraints before any Firebase write, surfacing a human-readable error inline
  • Error clears on any field change
  • maxLength attributes on inputs; photoURL placeholder updated to https://

CSS (Profile.css)

  • .profile-error styled via --error-color CSS variable (fallback #d32f2f)
Original prompt

This section details on the original issue you should resolve

<issue_title>users could set abusive names or avatar URLs </issue_title>
<issue_description>Add firebase protection </issue_description>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI changed the title [WIP] Add Firebase protection to prevent abusive names or avatar URLs Add Firebase validation rules and client-side guards for user name and avatar URL Mar 25, 2026
Copilot AI requested a review from ProLoser March 25, 2026 06:24
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 27, 2026

PR Preview Action v1.8.1

🚀 View preview at
https://ProLoser.github.io/PeaceInTheMiddleEast/preview/pr-196/

Built to branch gh-pages at 2026-03-27 20:23 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ProLoser ProLoser Awaiting requested review from ProLoser ProLoser is a code owner

Assignees

@ProLoser ProLoser

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

users could set abusive names or avatar URLs

2 participants

@ProLoser