On Mon, 13 Dec 2021 at 13:25, Aleksandar Lazic <al-hapr...@none.at> wrote: > 1. Why is a input from out site of the application passed unchecked to the > logging library!
Because you can't predict the future. When you know that your backend is SQL, you escape what's necessary to avoid SQL injection (or use prepared statements) before sending commands against the database. When you know your output is HTML, you escape HTML special characters, so untrusted inputs can't inject HTML tags. That's what input validation means. How exactly do you verify and sanitise inputs to protect against an unknown vulnerability with an unknown syntax in a logging library that is supposed to handle all strings just fine? You don't, it doesn't work this way, and that's not what input validation means. Lukas
