Is there a helper function to safely encode a user-provided string so I don't accidentally shoot mys

Is there a helper function to safely encode a user-provided string so I don't accidentally shoot myself in the foot with XSS later down the road?

Ddave Is there a helper function to safely encode a user-provided string so I don't ac...

meyer•5/29/23, 7:11 PM

It Depends™. where is the string coming from, where will it be stored, and where will it be used?

Mmeyer It Depends™. where is the string coming from, where will it be stored, and where...

daveOP•5/29/23, 7:14 PM

untrusted string from an authenticated user

daveOP•5/29/23, 7:14 PM

it's stored in R2

daveOP•5/29/23, 7:15 PM

the "where will it be used" part is what I am not 100% sure of. I know our current use-cases, but I know I will 100% not remember this ~2 years down the road.

meyer•5/29/23, 7:17 PM

hmm, intriguing

meyer•5/29/23, 7:18 PM

just save it unencoded?

meyer•5/29/23, 7:18 PM

are you picking filenames or are they based on user input?

meyer•5/29/23, 7:19 PM

put a sticky note on your computer screen that says "hey when you build that thing in two years, don't forget that the data is user generated content"

Erisa•5/29/23, 7:23 PM

Even if you get it to your liking now, youll still need a plan when you eventually realise you need to escape some other thing too

Erisa•5/29/23, 7:24 PM

better to handle the sanitisation at the time the string is used

daveOP•5/29/23, 7:24 PM

eh screw it, I think I just won't echo back the user input in the error message

Erisa•5/29/23, 7:24 PM

iirc there are safe functions for adding content into html without causing xss

Erisa•5/29/23, 7:24 PM

but, im not a web developer, so i couldnt tell you which ones

Ddave eh screw it, I think I just won't echo back the user input in the error message ...

meyer•5/29/23, 8:08 PM

haha yeah that's a good start

meyer•5/29/23, 10:10 PM

maaan i was about to try out workers with some discord rich presence biz, but i just saw that discord intentionally blocks socket connections from CF workers. a tragedy

meyer•5/29/23, 10:10 PM

https://github.com/discord/discord-api-docs/issues/6145

GitHub

Gateway WebSocket API sending a 401 rather than upgrading to a WebS...

Description When I try to open a WebSocket connection to wss://gateway.discord.gg (the URL I get from the Gateway Bot REST endpoint) via the standard new WebSocket() client, I immediately get an er...

meyer•5/29/23, 10:11 PM

"due to a layered security approach" intriguing

meyer•5/29/23, 10:11 PM

maybe they autoban all free tier cloud stuff

kian•5/29/23, 10:12 PM

Nope

kian•5/29/23, 10:21 PM

Cloudflare did recently add HTTP/2 to origin but I don't think Workers use it even then

lmtr0•5/30/23, 2:46 AM

hi there, how can I bypass the cloudflare cache from the worker fetch until the client?

Sameer Ali•5/30/23, 3:35 AM

I have s database connected to my worker from us-east-1 region, I am using the app from us-west (Vancouver), but the cf-placements header always return local-yvrlocal-yvr. I was expecting it will use location near to my db server. (the app is making multiple api calls)

Stronk•5/30/23, 3:45 AM

is there a way to cache the response of a worker like you can for an r2 request

Stronk•5/30/23, 3:46 AM

i dont want to be hitting d1 too hard with reads if the data is staying the same

Chaika•5/30/23, 3:49 AM

You can use the cache api within Workers: https://developers.cloudflare.com/workers/runtime-apis/cache/
Workers run in front of cache though, so they will always be invocated/count as a worker request

Cache · Cloudflare Workers docs

The Cache API allows fine grained control of reading and writing from the Cloudflare global network cache.