hagbard
commented
4 years ago Solving an "escaping" problem is not something you can do by changing the Flogger API.
Flogger doesn't know or care where the logs go. The right place to care about output is the logger backend. The backend might not even log to a text file at all, making "encoding" an entirely meaningless concept in those situations.
On an API note, you definitely wouldn't want to leave it up to random logging API users to know what "encoding" means and understand if/when they have to use it. If you are showing log files to users via web pages, you must handle escaping as you would for any untrusted text input (and you do that somewhere other than the logger API).
Feel free to implement a logger backend or handler for JDK logger or Log4J to encode log records as HTML or whatever you want. The data is all there.
HTH, David
On Thu, 7 May 2020 at 16:36, niceone548 notifications@github.com wrote:
It would be a nice if we had the option to encode / escape our log output. Something like: logger.atInfo().withCause(exception).encode().log("Log message with: %s", argument); logger.atInfo().withCause(exception)..log("Log message with: %s", argument).encode(); logger.atInfo().withCause(exception).logEncoded("Log message with: %s", argument); This way developers would become more security aware, and log forging would become allot harder overall. Owasp already has an encoder for this: https://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.2.2 If you don't know what log forging is give this a read: http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/flogger/issues/162, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTWYQN6TZRLKNTS3EC3GTRQLBQBANCNFSM4M3MHHNQ .
-- David Beaumont :: Îñţérñåţîöñåļîžåţîờñ Libraries :: Google Google Switzerland GmbH., Brandschenkestrasse 110, CH-8002, Zürich - Switzerland
It would be a nice if we had the option to encode / escape our log output. Something like: logger.atInfo().withCause(exception).encode().log("Log message with: %s", argument); logger.atInfo().withCause(exception)..log("Log message with: %s", argument).encode(); logger.atInfo().withCause(exception).logEncoded("Log message with: %s", argument); This way developers would become more security aware, and log forging would become allot harder overall. Owasp already has an encoder for this: https://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.2.2 If you don't know what log forging is give this a read: http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/