JS: Move js/log-injection into non-experimental. #4751
Conversation
6c01e4c to
afbb921
Compare
|
Could you run an evaluation? I believe this is the first use of |
|
An evaluation on And profilling just |
|
@asgerf Can I get an approve? |
|
@mchammer01 can I get a doc review? |
|
@erik-krogh - will try to look at this later today (I have urgent things to do for the GHES 30 docs ship first). |
There was a problem hiding this comment.
@erik-krogh - this LGTM 🙂 , I have a few comments on the qhelp file but because the file has been moved without any changes, I couldn't comment on the diff, so please find my comments below. As usual, feel free to ignore if you think some aren't relevant.
-
"If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries." seems a bit like a repetition of the query name that appears just above. I'd perhaps suggest removing it?
-
"If the log entries are plain text then line breaks should be removed from user input, using String.prototype.replace or similar. Care should also be taken that user input is clearly marked in log entries" - remove the "and that a malicious user cannot cause confusion in other ways.", I think it's implied, and it doesn't add anything new.
-
"If the log entries are plain text " -> "If the log entries are written in plain text" or "If the log entries are in plain text"
-
"For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection." - add an hyphen between
HTMLandencoded. -
"In the second case, the username is used to build an error", add a comma between "case" and "the username".
Hope this helps!
|
Thanks for the review. Can I get a final approve @mchammer01 and @asgerf? |
mchammer01
left a comment
There was a problem hiding this comment.
Thank you for the updates @erik-krogh ✨
LGTM from my point of view 👍🏻
I added API-graphs to
Logging.qllsuch that the manual property-tracking implemented inLogInjection.qllwas no longer needed.