[syslog-ng] SQL escaping
Nikolay P
nikolay.p at cos.flag.org
Sun Nov 23 20:19:04 CET 2014
Hello.
My syslog-ng (version 3.4.8) logs some messages into the PostgreSQL database. I am going to setup a web page which will display those logs.
I submitted log entry "alert('123')" surrounded by "script" html tags and displayed content of the database table on a web page.
Javascript alerted "123" which means it is a XSS vulnerability.
I am not in control of incoming log messages and they can containt anything, so I have no trust to them.
Is there anything I can do from the syslog-ng side of things to close this XSS vulnerability or I have to deal with it in my Web application?
More information about the syslog-ng
mailing list