I'm running into sort of a dilemma with my logging.
I have ESAPI.properties
set the option for the logs as follow:
LogLevel=INFO
LogEncodingRequired=true
In my application, if I call
ESAPI.getLogger(MyClass.class).info(Logger.USABILITY, true, message)
, it will print out the message with the encoded characters (if there is any of these <, >, &, ', ", and so on).
The issue is, the messages that I will print out the the logs will have these characters, and the log.info call above will mess up how the log looks with all the encoded characters.
Question: If I set LogEncodingRequired=false
(which then output the message as it is), does it raise the possibility of my log files (which can be viewed in a web browser) being vulnerable of XSS?
Sounds like you are viewing your logs using a web based tool which does not properly encode its outputs, or are viewing the raw web logs in a web browser. Modifying this value will definitely increase the likelihood of XSS in the event you are not properly validating user supplied data as it enters the application (which is then written to these logs). This can also lead to log injection.