3

We use the SLF4J interface, with our logger configuration in the logback.xml file.

We have a need to filter all parameters sent to the logger through the esapi html encoding filter. The ugly solution is simply to wrap each parameter with "ESAPI.getEncoder().encodeForHTML(..)", but the better solution requires steps I don't quite get yet.

I've seen Implement Custom Logger with slf4j and OWASP-ESAPI logger help needed . The first option in the first answer seems interesting, but I don't quite understand what that means, or how to implement it.

I think the first posting provides info on how to implement a custom logger, but I need a custom logger that just provides a facade over the "default" logger (whatever that means).

David M. Karr
  • 14,317
  • 20
  • 94
  • 199

1 Answers1

3

The latest release of ESAPI (2.2.0.0) includes support for SLF4J. See the release notes for details: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.0.0-release-notes.txt

If you have questions on how to use it, please post to the ESAPI-Users list that is referenced on the ESAPI README.md which is displayed at https://github.com/ESAPI/esapi-java-legacy

Kevin W. Wall
  • 1,347
  • 7
  • 7
  • 1
    BTW, this was discussed on the ESAPI-Users Google group. You can find the thread here if you are interested: https://groups.google.com/a/owasp.org/forum/#!topic/esapi-project-users/BInRFIJIfEY You do not need to subscribe to just read the thread, but only if you want to reply to it. – Kevin W. Wall May 17 '20 at 16:00