I'm developing a real-time web app that uses socket.io. My concern is when loading the socket.io js file through this <script>/socket.io/socket.io.js</script> in the client side it exposes the io instance as a global object. Now if you open up chrome developer tools, you can now create a connection to the server with

var socket = io.connect();

anyone can now emit events and send malicious data to your server that is listening to client emitted events. I have this in my client code as an example:

(function (sio) {
    var socket = sio.connect();
    // some code here...
    // once a user submitted the comment, it will emit an comment:create event to the
    // server
    socket.emit("comment:create", comment);
}(io));

in chrome developer tools, I could create a connection and then emit the same event with some malicious arguments that could potentially crash my app like passing a null as the second argument. Is there a way to prevent such issue?

EDIT: My current solution is creating a local copy of the io instance in my client side code and then setting the global io object to null to prevent another connection be made.