[slf4j-user] Strategies for filtering logging parameters through ESAPI filters

[David Karr]

We use the slf4j library, with logback.xml to configure our loggers.

We have a need to ensure that any parameters passed to the logging methods
that could have been provided by an external source, to be passed through
the ESAPI html encoding filter.  It is straightforward to simply wrap every
parameter value with "ESAPI.encoder().encodeForHTML(value)", but that's
really verbose.

I wish there was a less verbose solution that still gives us a reasonable
balance of security.  I thought perhaps I could write a Logger subclass
with "infoS", "errorS", "debugS" methods, that pass its parameters into the
ESAPI filter, but I realized that we use the Logger interface, so that
isn't practical.  I then started looking at whether I can make the
LoggerFactory return a custom subclass that unconditionally passes all the
parameters to the filter.  Even if I can do that, I'm not sure I want to do
that, as it's not clear to me what the performance impact will be for
passing all these parameters through the filter.

Has anyone else dealt with this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qos.ch/pipermail/slf4j-user/attachments/20191010/76336746/attachment.html>