GitHub user rm5248 added a comment to the discussion: Threat model: how should Thread Context (MDC) keys be classified (trusted structural or untrusted content)?
For safe vs. unsafe strings, I'll take an idea from [Joel Spolsky](https://www.joelonsoftware.com/2005/05/11/making-wrong-code-look-wrong/) and propose something like the following: ``` MDC map; map[key_from_user] = value_from_user; // unsafe map[SafeString("foobar")] = SafeString("baz"); // both safe strings map[SafeString("bar")] = value_from_user; // safe key, unsafe value ``` The idea is that all strings in the MDC are unsafe by default, but you could wrap them in a `SafeString` to do whatever else it is that safe does. Note: I'm not suggesting implementing this at the moment, as looking at Jan's comments I would tend to agree that both the keys and values should be unsafe by default. If there is a demand for safe strings in the MDC, something like the above could provide a good implementation. GitHub link: https://github.com/apache/logging-log4j2/discussions/4132#discussioncomment-17135766 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
