How to write a slf4j logger that adds an esapi filter for all parameters

Question

We use the SLF4J interface, with our logger configuration in the logback.xml file.

We have a need to filter all parameters sent to the logger through the esapi html encoding filter. The ugly solution is simply to wrap each parameter with "ESAPI.getEncoder().encodeForHTML(..)", but the better solution requires steps I don't quite get yet.

I've seen Implement Custom Logger with slf4j and OWASP-ESAPI logger help needed . The first option in the first answer seems interesting, but I don't quite understand what that means, or how to implement it.

I think the first posting provides info on how to implement a custom logger, but I need a custom logger that just provides a facade over the "default" logger (whatever that means).

Answer 1

The latest release of ESAPI (2.2.0.0) includes support for SLF4J. See the release notes for details: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.0.0-release-notes.txt

If you have questions on how to use it, please post to the ESAPI-Users list that is referenced on the ESAPI README.md which is displayed at https://github.com/ESAPI/esapi-java-legacy