Do you need to validate the data sent to the api to make sure there is no malicious code sent in the comment textarea? Can you implement a feature to notify the owner of the blog when a comment is posted or make the comment pending until approved by the owner?
It's always advised to do so in production-ready applications. Especially if users can send HTML through form data (e.g. Rich Text editors). In that case, HTML sanitization is crucial - you can use DOMPurify or similar libs for that purpose. In our case here, while the risk of XSS is lower with a plain text comment field, it's still good practice to implement some level of validation like length limitations for comments or special characters sanitization. For the notification feature, you can use sanity webhooks and trigger them when the new document of type "comment" is created. And for the approval system, it's just one more boolean-type field in sanity schema. Then when fetching comments just check for approved ones. I hope this helps! I'll definitely do a video on sanity webhooks end sending emails in the upcoming days, so stay tuned :)