We use the slf4j library, with logback.xml to configure our loggers. We have a need to ensure that any parameters passed to the logging methods that could have been provided by an external source, to be passed through the ESAPI html encoding filter. It is straightforward to simply wrap every parameter value with "ESAPI.encoder().encodeForHTML(value)", but that's really verbose.
I wish there was a less verbose solution that still gives us a reasonable balance of security. I thought perhaps I could write a Logger subclass with "infoS", "errorS", "debugS" methods, that pass its parameters into the ESAPI filter, but I realized that we use the Logger interface, so that isn't practical. I then started looking at whether I can make the LoggerFactory return a custom subclass that unconditionally passes all the parameters to the filter. Even if I can do that, I'm not sure I want to do that, as it's not clear to me what the performance impact will be for passing all these parameters through the filter. Has anyone else dealt with this?
_______________________________________________ slf4j-user mailing list [email protected] http://mailman.qos.ch/mailman/listinfo/slf4j-user
