 add server-side validation to ensure that the submitted parent_id value is valid for the user comment page.

The hidden_field method is vulnerable to manipulation by a technical person with access to the browser console, which could allow them to modify the parent_id value.