Comments (9)
from owasp-java-encoder.
Consider logging to a structured format such as JSON - then standard JSON encoding would be sufficient. Logging to JSON is often a good choice.
from owasp-java-encoder.
Hi @katyanton, The OWASP Security Logging Project includes an encoder for Logback, but for Log4J we recommend using the built-in encoder:
https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
from owasp-java-encoder.
Hi @augustd - I'm aware of the encoding for Log4J, but this is available only in version 2, not version 1.
from owasp-java-encoder.
from owasp-java-encoder.
Hi @jeremylong - I hear what you're saying and makes sense.
The corresponding method in OWASP Encoder would be encode#forJavaScriptSource(String) .
It would be a bit counter intuitive for a developer to know to use that method though.
from owasp-java-encoder.
Unfortunately Log4J version 1 is somewhat lacking in the extensibility department (most of the classes are actually final
). Is that a hard requirement? Ideally you should be moving towards Log4J2 -you will get many more features and better performance. Otherwise feel free to submit a feature request at OWASP Security Logging and we can look into adding an encoder for version 1.
For ESAPI I actually created a whole wrapper for the Log4JLogger which does the encoding, but then you have to use ESAPI's API, not Log4J's.
from owasp-java-encoder.
from owasp-java-encoder.
We politely do not think this library is the right place for logging functions. Please consider the OWASP Logging project for this request!
from owasp-java-encoder.
Related Issues (20)
- Configuring exclusions for `Encode.forHtml()` HOT 5
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- Support for input canonicalization HOT 6
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.