[syslog-ng] SQL escaping

Gergely Nagy algernon at madhouse-project.org
Mon Nov 24 07:59:17 CET 2014


>>>>> "Nikolay" == Nikolay P <nikolay.p at cos.flag.org> writes:

    Nikolay> Is there anything I can do from the syslog-ng side of
    Nikolay> things to close this XSS vulnerability or I have to deal
    Nikolay> with it in my Web application?

You can apply rewrite rules that replace "<" with "&lt;", for example,
but that's more a workaround than a solution. It is the web app that you
will have to teach to sanitize its input, if you want to avoid such
vulnerabilities.

-- 
|8]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20141124/d5e8af87/attachment.pgp 


More information about the syslog-ng mailing list