23 Nov
2014
23 Nov
'14
7:19 p.m.
Hello. My syslog-ng (version 3.4.8) logs some messages into the PostgreSQL database. I am going to setup a web page which will display those logs. I submitted log entry "alert('123')" surrounded by "script" html tags and displayed content of the database table on a web page. Javascript alerted "123" which means it is a XSS vulnerability. I am not in control of incoming log messages and they can containt anything, so I have no trust to them. Is there anything I can do from the syslog-ng side of things to close this XSS vulnerability or I have to deal with it in my Web application?